CVE-2023-24539
Public on 2023-05-05
Modified on 2024-03-28
Description
html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Docker Extra | containerd | 2023-08-17 | ALAS2DOCKER-2023-029 | Fixed |
| HAQM Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2023-08-03 | ALAS2NITRO-ENCLAVES-2023-026 | Fixed |
| HAQM Linux 1 | golang | 2023-06-05 | ALAS-2023-1760 | Fixed |
| HAQM Linux 2 - Core | golang | 2023-05-25 | ALAS2-2023-2052 | Fixed |
| HAQM Linux 2 - Golang1.19 Extra | golang | 2023-08-07 | ALAS2GOLANG1.19-2023-001 | Fixed |
| HAQM Linux 2023 | golang | 2023-06-07 | ALAS2023-2023-209 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| NVD | CVSSv3 | 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |