CVE-2023-24540
Improper handling of JavaScript whitespace in html/template
9.8
CRITICAL
CVSS 3.1
EPSS 0.29%
Description
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
How to fix CVE-2023-24540
To remediate CVE-2023-24540, upgrade the affected package to a fixed version below.
- —upgrade to 1.19.9 or later
- —no fix listed
- —no fix listed
- —upgrade to 1.19.9 or later
Is CVE-2023-24540 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.19.9, >= 1.20.0, < 1.20.4
- from 0
- from 0
- from 0, < 1.19.9, >= 1.20.0-0, < 1.20.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |