Improper handling of empty HTML attributes in html/template
CVE-2023-29400

7.3HIGH

Key Information:

Vendor: Go Standard Library
Status: Html/template
Vendor: CVE Published:; 11 May 2023

What is CVE-2023-29400?

This vulnerability arises from templates in the Go programming language that allow actions in unquoted HTML attributes. When these templates are executed with empty input values, they can lead to unexpected behaviour due to HTML normalization rules. This flaw may permit the injection of arbitrary attributes into HTML tags, posing a significant security risk that could be harnessed for malicious purposes.

Affected Version(s)

html/template 0 < 1.19.9

html/template 1.20.0-0 < 1.20.4

References

https://go.dev/issue/59722

https://go.dev/cl/491617

https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 11, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Juho Nurminen of Mattermost