CVE-2024-22199

2024-01-1118:15:45

Google

osv.dev

202

fiber web framework

template engine

vulnerability

xss attacks

autoescape

web applications

user-supplied data

malicious scripts

browser security

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users’ browsers when visiting affected web pages. The vulnerability has been addressed, the template engine now defaults to having autoescape set to true, effectively mitigating the risk of XSS attacks.

CPENameOperatorVersion
templateeq1.5.2
templateeqpug/v2.1.2
templateeq1.7.1
templateeq1.0.0
templateeqamber/v2.1.0
templateeq1.6.20
templateeqpug/v2.1.5
templateeqslim/v2.1.2
templateeq1.6.4
templateeq1.6.24

Name	Operator	Version
template	eq	1.5.2
template	eq	pug/v2.1.2
template	eq	1.7.1
template	eq	1.0.0
template	eq	amber/v2.1.0
template	eq	1.6.20
template	eq	pug/v2.1.5
template	eq	slim/v2.1.2
template	eq	1.6.4
template	eq	1.6.24