It was discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10. (CVE-2022-41724, CVE-2023-24534, CVE-2023-24537) It was discovered that Go did not properly validate the amount of memory and disk files ReadForm can consume. An attacker could possibly use this issue to cause a panic resulting in a denial of service. This issue only affected golang-1.19 on Ubuntu 22.10. (CVE-2022-41725) It was discovered that Go did not properly validate backticks (`) as Javascript string delimiters, and did not escape them as expected. An attacker could possibly use this issue to inject arbitrary Javascript code into the Go template. This issue only affected golang-1.19 on Ubuntu 22.10. (CVE-2023-24538) It was discovered that Go did not properly validate the angle brackets in CSS values. An attacker could possibly use this issue to inject arbitrary CSS code. (CVE-2023-24539) It was discovered that Go did not properly validate whitespace characters in Javascript, and did not escape them as expected. An attacker could possibly use this issue to inject arbitrary Javascript code into the Go template. (CVE-2023-24540) It was discovered that Go did not properly validate HTML attributes with empty input. An attacker could possibly use this issue to inject arbitrary HTML tags into the Go template. (CVE-2023-29400)
Continue reading...
Continue reading...