CVE-2023-3978: Improper rendering of text nodes in golang.org/x/net/html
First published: Wed Aug 02 2023(Updated: )
Golang html package is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Credit: security@golang.org security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/golang.org/x/net | <0.13.0 | 0.13.0 |
| Golang Networking Go | <0.13.0 | |
| redhat/golang.org/x/net/html | <0.13.0 | 0.13.0 |
| IBM Concert Software | <=1.0.0 - 1.0.1 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/issue/61615
- https://go.dev/cl/514896
- https://pkg.go.dev/vuln/GO-2023-1988
- https://nvd.nist.gov/vuln/detail/CVE-2023-3978
- https://github.com/advisories/GHSA-2wrh-6pvc-2jm9 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229582
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229583
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229577
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229584
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229585
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229586
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229587
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229588
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229589
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229590
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229591
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229592
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229593
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229594
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229595
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229596
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229578
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229597
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229598
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229579
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229599
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229600
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229601
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229580
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229602
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229603
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229604
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229605
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229581
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229607
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229608
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2229610
- https://access.redhat.com/errata/RHSA-2023:5888
- https://access.redhat.com/errata/RHSA-2023:6031
- https://access.redhat.com/errata/RHSA-2023:5006
- https://access.redhat.com/errata/RHSA-2023:5007
- https://access.redhat.com/errata/RHSA-2023:5009
- https://access.redhat.com/errata/RHSA-2023:6474
- https://access.redhat.com/errata/RHSA-2023:6832
- https://access.redhat.com/errata/RHSA-2023:6938
- https://access.redhat.com/errata/RHSA-2023:6939
- https://access.redhat.com/errata/RHSA-2023:7216
- https://access.redhat.com/errata/RHSA-2023:6837
- https://access.redhat.com/errata/RHSA-2023:7315
- https://access.redhat.com/errata/RHSA-2024:0485
- https://access.redhat.com/errata/RHSA-2023:7197
- https://access.redhat.com/errata/RHSA-2023:7198
- https://access.redhat.com/errata/RHSA-2024:0944
- https://access.redhat.com/errata/RHSA-2024:1891
- https://bugzilla.redhat.com/show_bug.cgi?id=2228689
- https://www.ibm.com/support/pages/node/7173596 (Advisory)
Frequently Asked Questions
What is CVE-2023-3978?
CVE-2023-3978 is a vulnerability that allows text nodes not in the HTML namespace to be incorrectly literally rendered, potentially leading to an XSS attack.
What is the severity of CVE-2023-3978?
The severity of CVE-2023-3978 is medium with a CVSS score of 6.1.
Which software is affected by CVE-2023-3978?
The Golang Networking software up to version 0.13.0 is affected by CVE-2023-3978.
How can CVE-2023-3978 be exploited?
CVE-2023-3978 can be exploited by injecting malicious code into text nodes not in the HTML namespace.
How can I fix CVE-2023-3978?
To fix CVE-2023-3978, update your Golang Networking software to a version higher than 0.13.0.
- collector/nvd-latest
- collector/github-advisory-latest
- alias/GHSA-2wrh-6pvc-2jm9
- alias/CVE-2023-3978
- collector/github-advisory
- agent/type
- agent/severity
- agent/author
- agent/remedy
- agent/description
- agent/weakness
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/references
- agent/title
- agent/event
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/ibm-support
- source/IBM
- package-manager/go
- vendor/golang
- canonical/golang networking go
- package-manager/redhat
- vendor/ibm
- canonical/ibm concert software
- version/ibm concert software/1.0.0 - 1.0.1