1. Home
  2. Security Advisories
  3. Go
  4. GO-2023-2041

[GO-2023-2041] Improper handling of HTML-like comments in script contexts in html/template

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages Vulnerabilities

The html/template package does not properly handle HTML-like "" comment tokens,
nor hashbang "#!" comment tokens, in <script> contexts. This may cause the
template parser to improperly interpret the contents of <script> contexts,
causing actions to be improperly escaped. This may be leveraged to perform an
XSS attack.

Package Affected Version
pkg:golang/html/template >= 1.21.0, < 1.20.8
pkg:golang/html/template >= 1.21.0, < 1.21.1
Package Fixed Version
pkg:golang/html/template = 1.20.8
pkg:golang/html/template = 1.21.1
ID
GO-2023-2041
Severity
medium
Severity from
CVE-2023-39318
URL
https://pkg.go.dev/vuln/GO-2023-2041
Published
2023-09-06T21:38:42
(12 months ago)
Modified
2024-07-17T19:54:18
(2 months ago)
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/html/template html template = 1.20.8
Affected pkg:golang/html/template html template >= 1.21.0 < 1.20.8
Fixed pkg:golang/html/template html template = 1.21.1
Affected pkg:golang/html/template html template >= 1.21.0 < 1.21.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date