#VU80573 Cross-site scripting in Go programming language


Published: 2023-09-08

Vulnerability identifier: #VU80573

Vulnerability risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-39319

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists within the html/template package caused by improperly applied rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. A remote attacker can pass specially crafted input to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.21 rc1 - 1.21.0, 1.20 - 1.20.7

External links
http://groups.google.com/g/golang-announce/c/Fm51GRLNRvM/m/F5bwBlXMAQAJ?pli=1
http://go.dev/issue/62197

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat Enterprise Linux 9 update for toolbox
Multiple vulnerabilities in Red Hat Service Interconnect 1.5
Multiple vulnerabilities in IBM Sterling Order Management
Multiple vulnerabilities in IBM Cloud Pak for AIOps
Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data
Multiple vulnerabilities in IBM Operations Dashboard
Ubuntu update for golang-1.20
Multiple vulnerabilities in IBM Cloud Pak System
Multiple vulnerabilities in IBM MQ Operator
Red Hat Enterprise Linux 9 update for containernetworking-plugins