CVE-2023-39319 Improper handling of special tags within script contexts in html/template

2023-09-0816:13:28

www.cve.org

xss attack

script contexts

html/template package

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.2%

JSON

The html/template package does not apply the proper rules for handling occurrences of “<script”, "

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "html/template",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "html/template",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.20.8",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.21.0-0",
        "lessThan": "1.21.1",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "escaper.escapeText"
      },
      {
        "name": "tSpecialTagEnd"
      },
      {
        "name": "indexTagEnd"
      },
      {
        "name": "Template.Execute"
      },
      {
        "name": "Template.ExecuteTemplate"
      }
    ],
    "defaultStatus": "unaffected"
  }
]