PT-2020-15731 · Google+6 · Go+6

Published

2020-08-19

·

Updated

2024-06-15

·

CVE-2020-24553

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Go versions 1.14.8 and earlier, 1.15.x before 1.15.1
Description The issue allows cross-site scripting (XSS) because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. This can be exploited if an attacker can control any part of the contents of a response. The estimated number of potentially affected devices worldwide is not specified.
Recommendations For Go versions 1.14.8 and earlier, update to version 1.14.8 or later. For Go versions 1.15.x before 1.15.1, update to version 1.15.1 or later. As a temporary workaround, consider explicitly setting the Content-Type header in handlers to avoid defaulting to text/html. Avoid not setting the Content-Type header explicitly on any attacker-controlled file, as this is unsafe and should be avoided.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2020-2608
ALT-PU-2020-2766
ALT-PU-2020-2852
ALT-PU-2021-1456
AZL-79064
BIT-GOLANG-2020-24553
CESA-2020_5493
CVE-2020-24553
GO-2021-0226
MGASA-2020-0424
OPENSUSE-SU-2020:1584-1
OPENSUSE-SU-2020:1587-1
OPENSUSE-SU-2020_1584-1
OPENSUSE-SU-2020_1587-1
OPENSUSE-SU-2024:10807-1
OPENSUSE-SU-2024:10808-1
RHSA-2020:5493
RHSA-2020_5493
RHSA-2021:0145
SUSE-SU-2020:2761-1
SUSE-SU-2020:2776-1
SUSE-SU-2020_2761-1
SUSE-SU-2020_2776-1
USN-4758-1

Affected Products

Alt Linux
Centos
Go
Linuxmint
Red Hat
Suse
Ubuntu