CVE-2023-39318 : The html/template package does not properly handle HTML-like "" comment tokens,

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

Published 2023-09-08 17:15:28

Updated 2023-11-25 11:15:17

Source Go Project

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-39318

Golang » GO
Versions from including (>=) 1.21.0 and before (<) 1.21.1
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions
Golang » GO
Versions before (<) 1.20.8
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-39318

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 20 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-39318

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2023-39318

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- security@golang.org (Secondary)

References for CVE-2023-39318

https://go.dev/cl/526156

html/template: support HTML-like comments in script contexts (526156) · Gerrit Code Review
Patch
https://pkg.go.dev/vuln/GO-2023-2041

GO-2023-2041 - Go Packages
Vendor Advisory
https://go.dev/issue/62196

html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) · Issue #62196 · golang/go · GitHub
Issue Tracking
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ

[security] Go 1.21.1 and Go 1.20.8 are released
Mailing List;Release Notes

CVEs referencing this url
https://security.gentoo.org/glsa/202311-09

Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20231020-0009/

September 2023 Golang Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-39318

Products affected by CVE-2023-39318

Exploit prediction scoring system (EPSS) score for CVE-2023-39318

CVSS scores for CVE-2023-39318

CWE ids for CVE-2023-39318

References for CVE-2023-39318