CVE-2023-3978

Published: Aug 2, 2023Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

Affected (1)

Products: Golang: Networking

Golang

1 product

Networking

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Golang Networking	Before 0.13.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://go.dev/cl/514896

Source: security@golang.org

Patch

https://go.dev/issue/61615

Source: security@golang.org

Issue TrackingPatchVendor Advisory

https://pkg.go.dev/vuln/GO-2023-1988

Source: security@golang.org

Issue TrackingPatchVendor Advisory

https://go.dev/cl/514896

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/61615

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

https://pkg.go.dev/vuln/GO-2023-1988

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.