First published: Sun May 07 2023(Updated: )
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
Credit: security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | <1.19.9 | |
Golang Go | >=1.20.0<1.20.4 | |
redhat/golang | <1.19.9 | 1.19.9 |
redhat/golang | <1.20.4 | 1.20.4 |
debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
debian/golang-1.19 | <=1.19.8-2 | |
IBM Concert Software | <=1.0.0 - 1.0.1 | |
<1.19.9 | ||
>=1.20.0<1.20.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2023-24539.
The severity of CVE-2023-24539 is high.
Versions up to and excluding 1.19.9 of the golang package from Red Hat, as well as versions between 1.20.0 and 1.20.4, are affected by CVE-2023-24539.
CVE-2023-24539 allows for injection of unexpected HTML if executed with untrusted input due to angle brackets (<>) not being considered as dangerous characters when inserted into CSS contexts and templates with multiple actions separated by a '/' character.
To mitigate CVE-2023-24539, update the golang package to versions 1.19.9 or 1.20.4, as provided by Red Hat.