CVE-2023-24539
Public on 2023-05-05
Modified on 2024-03-28
Description
html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Docker Extra | containerd | 2023-08-17 | ALAS2DOCKER-2023-029 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2023-08-03 | ALAS2NITRO-ENCLAVES-2023-026 | Fixed |
| Amazon Linux 1 | golang | 2023-06-05 | ALAS-2023-1760 | Fixed |
| Amazon Linux 2 - Core | golang | 2023-05-25 | ALAS2-2023-2052 | Fixed |
| Amazon Linux 2 - Golang1.19 Extra | golang | 2023-08-07 | ALAS2GOLANG1.19-2023-001 | Fixed |
| Amazon Linux 2023 | golang | 2023-06-07 | ALAS2023-2023-209 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| NVD | CVSSv3 | 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |