Количество 20
Количество 20
GHSA-v4m2-x4rp-hv22
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmplliti...
CVE-2023-24538
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmplliti...
CVE-2023-24538
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmplliti...
CVE-2023-24538
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinte
CVE-2023-24538
Templates do not properly consider backticks (`) as Javascript string ...
BDU:2024-01979
Уязвимость пакета golang операционной системы Debian GNU/Linux, позволяющая нарушителю выполнить произвольный код
SUSE-SU-2023:1792-1
Security update for go1.19
SUSE-SU-2023:1791-1
Security update for go1.20
ROS-20241017-01
Множественные уязвимости golang
ROS-20241203-15
Множественные уязвимости filebeat
SUSE-SU-2023:2127-1
Security update for go1.19
SUSE-SU-2023:2105-2
Security update for go1.20
SUSE-SU-2023:2105-1
Security update for go1.20
ELSA-2023-6402
ELSA-2023-6402: containernetworking-plugins security and bug fix update (MODERATE)
ELSA-2023-6473
ELSA-2023-6473: buildah security update (MODERATE)
ELSA-2023-6363
ELSA-2023-6363: skopeo security update (MODERATE)
ELSA-2023-6474
ELSA-2023-6474: podman security, bug fix, and enhancement update (MODERATE)
ELSA-2023-6938
ELSA-2023-6938: container-tools:4.0 security and bug fix update (MODERATE)
ROS-20240418-06
Множественные уязвимости buildah
ELSA-2023-6939
ELSA-2023-6939: container-tools:ol8 security and bug fix update (MODERATE)
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-v4m2-x4rp-hv22 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmplliti... | CVSS3: 9.8 | 1% Низкий | около 2 лет назад |
 | CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmplliti... | CVSS3: 9.8 | 1% Низкий | около 2 лет назад |
 | CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmplliti... | CVSS3: 9.8 | 1% Низкий | около 2 лет назад |
 | CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinte | CVSS3: 9.8 | 1% Низкий | около 2 лет назад |
| CVE-2023-24538 Templates do not properly consider backticks (`) as Javascript string ... | CVSS3: 9.8 | 1% Низкий | около 2 лет назад |
 | BDU:2024-01979 Уязвимость пакета golang операционной системы Debian GNU/Linux, позволяющая нарушителю выполнить произвольный код | CVSS3: 9.8 | 1% Низкий | около 2 лет назад |
 | SUSE-SU-2023:1792-1 Security update for go1.19 | около 2 лет назад | ||
| SUSE-SU-2023:1791-1 Security update for go1.20 | около 2 лет назад | ||
 | ROS-20241017-01 Множественные уязвимости golang | CVSS3: 9.8 | 8 месяцев назад | |
| ROS-20241203-15 Множественные уязвимости filebeat | CVSS3: 9.8 | 7 месяцев назад | |
| SUSE-SU-2023:2127-1 Security update for go1.19 | около 2 лет назад | ||
| SUSE-SU-2023:2105-2 Security update for go1.20 | около 2 лет назад | ||
| SUSE-SU-2023:2105-1 Security update for go1.20 | около 2 лет назад | ||
| ELSA-2023-6402 ELSA-2023-6402: containernetworking-plugins security and bug fix update (MODERATE) | больше 1 года назад | ||
| ELSA-2023-6473 ELSA-2023-6473: buildah security update (MODERATE) | больше 1 года назад | ||
| ELSA-2023-6363 ELSA-2023-6363: skopeo security update (MODERATE) | больше 1 года назад | ||
| ELSA-2023-6474 ELSA-2023-6474: podman security, bug fix, and enhancement update (MODERATE) | больше 1 года назад | ||
| ELSA-2023-6938 ELSA-2023-6938: container-tools:4.0 security and bug fix update (MODERATE) | больше 1 года назад | ||
| ROS-20240418-06 Множественные уязвимости buildah | CVSS3: 9.8 | около 1 года назад | |
| ELSA-2023-6939 ELSA-2023-6939: container-tools:ol8 security and bug fix update (MODERATE) | больше 1 года назад |
Уязвимостей на страницу