First published: Sun May 07 2023(Updated: )
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Credit: security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | <1.19.9 | |
Golang Go | >=1.20.0<1.20.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2023-29400.
The severity level of CVE-2023-29400 is high with a score of 7.3.
CVE-2023-29400 is a vulnerability where templates containing actions in unquoted HTML attributes executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules, allowing injection of arbitrary attributes into tags.
The affected software versions are golang 1.19.9 and golang 1.20.4 (up to exclusive).
Yes, you can find references for CVE-2023-29400 at the following links: [link1](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196474), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196475), [link3](https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU).