377 matches found
Malicious code in babel-plugin-transform-html-template (npm)
The package babel-plugin-transform-html-template was found to contain malicious code...
MAL-2025-15296 Malicious code in babel-plugin-transform-html-template (npm)
The package babel-plugin-transform-html-template was found to contain malicious code...
K000152671: Golang html/template vulnerabilities CVE-2023-39318,CVE-2023-39319, and CVE-2024-24785
Security Advisory Description CVE-2023-39318 The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
OESA-2025-1683 etcd security update
%expand: Security Fixes: When parsing a multipart form either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile, limits on the total size of the parsed form were not applied to the memory consumed while reading a single for...
CVE-2024-22414
flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the /user/ page allows a user's comments to execute arbitrary javascript code. The html template user.html contains the following code snippet to render comments made by a user: comment2|safe . Use of the "safe" ta...
Linux Distros Unpatched Vulnerability : CVE-2023-39319
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The html/template package does not apply the proper rules for handling occurrences of contexts. This may cause the template parser to improperly consider script...
S3-Proxy allows Reflected Cross-site Scripting (XSS) in template implementation
Summary A Reflected Cross-site Scripting XSS vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a high risk to all users. Details Give all details ...
OESA-2025-1076 podman security update
Podman manages the entire container ecosystem which includes pods, containers, container images, and container volumes using the libpod library. Security Fixes: If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavio...
golang: html/template: errors returned from MarshalJSON methods may break template escaping
A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into...
Moderate: Red Hat Security Advisory: toolbox security update
An update for toolbox is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...
USN-7061-1 golang-1.17 vulnerabilities
Hunter Wittenborn discovered that Go incorrectly handled the sanitization of environment variables. An attacker could possibly use this issue to run arbitrary commands. CVE-2023-24531 Sohom Datta discovered that Go did not properly validate backticks as Javascript string delimiters, and did not...
The vulnerability in the Go programming language’s html/template package allows attackers to execute XSS attacks.
The vulnerability of the Go programming language’s html/template package is related to the lack of measures taken to protect web page structures. Exploiting this vulnerability allows an attacker to perform XSS attacks remotely...
The vulnerability in the Go programming language’s html/template package allows attackers to execute XSS attacks.
The vulnerability of the Go programming language’s html/template package is related to the lack of measures taken to protect web page structures. Exploiting this vulnerability allows an attacker to perform XSS attacks remotely...
ROS-20241001-02
Vulnerability of html/template package of Golang programming language is related to incorrect handling of <script> occurrences of <script>, <!--> and </script> in JS literals in <script> contexts. Exploitation vulnerability could allow an attacker acting remotely to perform an...
Scammers advertise fake AppleCare+ service via GitHub repos
Weve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository...
golang: html/template: errors returned from MarshalJSON methods may break template escaping
A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into...
Accellion FTA Statecode Cookie Arbitrary File Read
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Accellion FTA 'statecode' Cookie Arbitrary File Read", 'Description' = %q This module exploits a file disclosure vulnerability in the Accellion...
ROS-20240805-08
A vulnerability in the golang package of the Debian GNU/Linux operating system is related to a lack of protection for service data. data. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive information A vulnerability in the golang package of the...
Security Bulletin: Vulnerabilities in Golang Go affect Cloud pak System [CVE-2023-39319, CVE-2023-39318]
Summary Vulnerabilities in Golang Go affect Cloud Pak System Software. Vulnerability Details CVEID:CVE-2023-39319 DESCRIPTION: Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this...
golang: html/template: errors returned from MarshalJSON methods may break template escaping
A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into...