CVE-2023-24540
CRITICAL9.8EPSS 0.29%Improper handling of JavaScript whitespace in html/template
發布日:2023/5/5修改日:2026/4/28
也稱為:DEBIAN-CVE-2023-24540
描述
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
受影響套件(4)
- Bitnami/golangfrom 0, < 1.19.9, >= 1.20.0, < 1.20.4
- Debian/golang-1.15from 0
- Debian/golang-1.19from 0
- Go/stdlibfrom 0, < 1.19.9, >= 1.20.0-0, < 1.20.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-24540
- PATCHhttps://go.dev/cl/491616
- REPORThttps://go.dev/issue/59721
- WEBhttps://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2023-24540
- WEBhttps://pkg.go.dev/vuln/GO-2023-1752
- WEBhttps://security.netapp.com/advisory/ntap-20241115-0008/