CVE-2023-29400

Name
CVE-2023-29400
Description
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://go.dev/cl/491617
MISC https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
MISC https://pkg.go.dev/vuln/GO-2023-1753
MISC https://go.dev/issue/59722

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.20.0 < 1.20.4
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.19.9

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
go 3.17-community 1.19.9-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed