Astra Linux - уязвимость в zabbix

Templates do not properly handle backticks as JavaScript string delimiters, and do not escape them as expected. Backticks have been used since ES6 for JavaScript template literals. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be...

RLSA-2026:3428 Important: container-tools:rhel8 security update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: html/template: errors returned from MarshalJSON methods may break template escaping CVE-2024-24785 crypto/x509: golang: Denial of Service due to excessive...

CVE-2024-29892

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name. To compensate for this ...

Linux Distros Unpatched Vulnerability : CVE-2023-29453

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template...

CVE-2024-29892

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name. To compensate for this ...

CVE-2024-29892 ZITADEL's actions can overload reserved claims

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name. To compensate for this ...

CVE-2024-29892 ZITADEL's actions can overload reserved claims

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name. To compensate for this ...

CVE-2024-29892

ZITADEL is vulnerable where an action could set reserved claims (e.g., urn:zitadel:iam:user:resourceowner:name) via Go template-driven login UI rendering. The root cause: actions could modify claims that start with urn:zitadel:iam, which is now blocked by a protective check. The issue is fixed in...

CVE-2024-28855 ZITADEL vulnerable to improper HTML sanitization

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and...

CVE-2024-28855

CVE-2024-28855 affects ZITADEL, an open-source authentication system. The Login UI renders with Go templates using text/template instead of html/template, failing to sanitize input parameters in versions up to 2.47.3 (and earlier 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, 2.41.15). An attacker coul...

GHSA-HFRG-4JWR-JFPJ Improper HTML sanitization in ZITADEL

Impact ZITADEL uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters. An attacker could create a malicious link, where he injected code which would be rendered as part of the login...

golang: html/template: improper handling of empty HTML attributes

A flaw was found in golang. Templates containing actions in unquoted HTML attributes, for example, "attr=." executed with empty input, could result in output that has unexpected results when parsed due to HTML normalization rules. This issue may allow the injection of arbitrary attributes into ta...

PT-2023-7219 · Zabbix +3 · Zabbix +3

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.21 Zabbix affected versions not specified Description: The issue concerns the improper handling of backticks in Javascript template literals within Go templates, potentially allowing for the injection of arbitrary...

golang: html/template: improper handling of empty HTML attributes

A flaw was found in golang. Templates containing actions in unquoted HTML attributes, for example, "attr=." executed with empty input, could result in output that has unexpected results when parsed due to HTML normalization rules. This issue may allow the injection of arbitrary attributes into ta...

golang: html/template: improper sanitization of CSS values

A flaw was found in golang where angle brackets were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in the CSS context unexpectedly closing, allowing for the injection of unexpected HMTL if...

golang: html/template: improper handling of JavaScript whitespace

A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be...

golang: html/template: improper handling of JavaScript whitespace

A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be...

golang: html/template: improper handling of empty HTML attributes

A flaw was found in golang. Templates containing actions in unquoted HTML attributes, for example, "attr=." executed with empty input, could result in output that has unexpected results when parsed due to HTML normalization rules. This issue may allow the injection of arbitrary attributes into ta...

AZL-37500 CVE-2023-29400 affecting package golang for versions less than 1.21.6-1

Templates containing actions in unquoted HTML attributes e.g. "attr=." executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags...

AZL-79022 CVE-2023-29400 affecting package golang 1.25.7-1

Templates containing actions in unquoted HTML attributes e.g. "attr=." executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags...