PT-2024-3060 · Go+10 · Html/Template+10

Ryotak

·

Published

2024-03-05

·

Updated

2026-02-26

·

CVE-2024-24785

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions html/template package versions (affected versions not specified)
Description The issue is related to the lack of input validation in the html/template package of the Go programming language. This can be exploited by a remote attacker to inject arbitrary content into templates. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336

Related Identifiers

ALSA-2024:2562
ALSA-2024:3259
ALSA-2024:9135
ALSA-2026:3428
AZL-37457
AZL-37460
AZL-79024
BDU:2024-03248
BIT-GOLANG-2024-24785
CESA-2024_3259
CVE-2024-24785
GHSA-J6M3-GC37-6R6Q
GO-2024-2610
INFSA-2024_2562
INFSA-2024_3259
INFSA-2024_9135
OESA-2024-1306
OESA-2025-1072
OESA-2025-1073
OESA-2025-1074
OESA-2025-1075
OESA-2025-1076
OESA-2025-1682
OESA-2025-1683
OPENSUSE-SU-2024:13752-1
OPENSUSE-SU-2024:13756-1
OPENSUSE-SU-2024_0812-1
OPENSUSE-SU-2024_3089-1
OPENSUSE-SU-2024_3755-1
RHSA-2024:0045
RHSA-2024:2562
RHSA-2024:3259
RHSA-2024:4023
RHSA-2024:4893
RHSA-2024:9135
RHSA-2024_2562
RHSA-2024_3259
RHSA-2024_9135
RHSA-2026:3428
RLSA-2024:2562
RLSA-2024:3259
RLSA-2024:9135
SUSE-SU-2024:0800-1
SUSE-SU-2024:0811-1
SUSE-SU-2024:0812-1
SUSE-SU-2024:0936-1
SUSE-SU-2024:3089-1
SUSE-SU-2024:3755-1
SUSE-SU-2024:3772-1
SUSE-SU-2024:3938-1
USN-6886-1
USN-7061-1
USN-7109-1

Affected Products

Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Html/Template