CVE-2023-29400
Improper handling of empty HTML attributes in html/template
7.3
HIGH
CVSS 3.1
EPSS 0.06%
Description
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
How to fix CVE-2023-29400
To remediate CVE-2023-29400, upgrade the affected package to a fixed version below.
- —upgrade to 1.19.9 or later
- —no fix listed
- —no fix listed
- —upgrade to 1.19.9 or later
Is CVE-2023-29400 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.19.9, >= 1.20.0, < 1.20.4
- from 0
- from 0
- from 0, < 1.19.9, >= 1.20.0-0, < 1.20.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |