Bug 2228689 (CVE-2023-3978) - CVE-2023-3978 golang.org/x/net/html: Cross site scripting
Summary: CVE-2023-3978 golang.org/x/net/html: Cross site scripting
Keywords:
Status: NEW
Alias: CVE-2023-3978
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2228807 2229577 2229578 2229580 2229581 2229583 2229584 2229585 2229586 2229587 2229588 2229589 2229590 2229591 2229592 2229594 2229596 2229597 2229598 2229600 2229601 2229602 2229603 2229604 2229605 2229607 2228806 2228808 2228810 2228811 2228812 2228813 2228814 2228815 2228824 2228825 2229579 2229582 2229593 2229595 2229599 2229608 2229610 2229611
Blocks: 2228694
TreeView+ depends on / blocked
 
Reported: 2023-08-03 05:50 UTC by Avinash Hanwate
Modified: 2024-03-19 02:20 UTC (History)
81 users (show)

Fixed In Version: golang.org/x/net/html 0.13.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Golang HTML package where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. The flaw allows an attacker to steal the victim's cookie-based authentication credentials.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5006 0 None None None 2023-10-31 12:55:01 UTC
Red Hat Product Errata RHSA-2023:5007 0 None None None 2023-10-31 13:45:32 UTC
Red Hat Product Errata RHSA-2023:5009 0 None None None 2023-10-31 14:02:12 UTC
Red Hat Product Errata RHSA-2023:5888 0 None None None 2023-10-19 02:36:57 UTC
Red Hat Product Errata RHSA-2023:6031 0 None None None 2023-10-23 14:24:43 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:17:56 UTC
Red Hat Product Errata RHSA-2023:6832 0 None None None 2023-11-08 18:49:46 UTC
Red Hat Product Errata RHSA-2023:6837 0 None None None 2023-11-15 04:22:40 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:53 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:39 UTC
Red Hat Product Errata RHSA-2023:7197 0 None None None 2024-02-27 19:47:45 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:49:20 UTC
Red Hat Product Errata RHSA-2023:7216 0 None None None 2023-11-15 00:27:27 UTC
Red Hat Product Errata RHSA-2023:7315 0 None None None 2023-11-21 11:27:28 UTC
Red Hat Product Errata RHSA-2024:0485 0 None None None 2024-01-31 16:18:56 UTC
Red Hat Product Errata RHSA-2024:0944 0 None None None 2024-02-28 00:34:40 UTC

Description Avinash Hanwate 2023-08-03 05:50:06 UTC
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

https://go.dev/issue/61615
https://go.dev/cl/514896
https://pkg.go.dev/vuln/GO-2023-1988

Comment 6 Avinash Hanwate 2023-08-07 05:38:23 UTC
Created caddy tracking bugs for this issue:

Affects: fedora-all [bug 2229582]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229583]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2229577]


Created cri-o:1.21/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229584]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229585]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229586]


Created cri-o:1.25/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229587]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229588]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229589]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229590]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229591]


Created cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229592]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2229593]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-all [bug 2229594]


Created golang-github-onsi-ginkgo-2 tracking bugs for this issue:

Affects: fedora-all [bug 2229595]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2229596]


Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-all [bug 2229578]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2229597]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2229598]


Created golang-x-net tracking bugs for this issue:

Affects: epel-all [bug 2229579]
Affects: fedora-all [bug 2229599]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229600]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2229601]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2229580]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2229602]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2229603]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2229604]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2229605]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2229581]


Created shellz tracking bugs for this issue:

Affects: fedora-all [bug 2229607]


Created xq tracking bugs for this issue:

Affects: fedora-all [bug 2229608]

Comment 7 Avinash Hanwate 2023-08-07 05:45:38 UTC
Created rclone tracking bugs for this issue:

Affects: fedora-all [bug 2229610]

Comment 9 errata-xmlrpc 2023-10-19 02:36:54 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:5888 https://access.redhat.com/errata/RHSA-2023:5888

Comment 10 errata-xmlrpc 2023-10-23 14:24:39 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:6031 https://access.redhat.com/errata/RHSA-2023:6031

Comment 12 errata-xmlrpc 2023-10-31 12:54:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006

Comment 13 errata-xmlrpc 2023-10-31 13:45:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5007 https://access.redhat.com/errata/RHSA-2023:5007

Comment 14 errata-xmlrpc 2023-10-31 14:02:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009

Comment 15 errata-xmlrpc 2023-11-07 08:17:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474

Comment 16 errata-xmlrpc 2023-11-08 18:49:42 UTC
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2023:6832 https://access.redhat.com/errata/RHSA-2023:6832

Comment 17 errata-xmlrpc 2023-11-14 15:16:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938

Comment 18 errata-xmlrpc 2023-11-14 15:17:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939

Comment 19 errata-xmlrpc 2023-11-15 00:27:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.4 for RHEL 8

Via RHSA-2023:7216 https://access.redhat.com/errata/RHSA-2023:7216

Comment 20 errata-xmlrpc 2023-11-15 04:22:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6837 https://access.redhat.com/errata/RHSA-2023:6837

Comment 21 errata-xmlrpc 2023-11-21 11:27:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7315 https://access.redhat.com/errata/RHSA-2023:7315

Comment 25 errata-xmlrpc 2024-01-31 16:18:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0485 https://access.redhat.com/errata/RHSA-2024:0485

Comment 29 errata-xmlrpc 2024-02-27 19:47:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197

Comment 30 errata-xmlrpc 2024-02-27 20:49:17 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198

Comment 31 errata-xmlrpc 2024-02-28 00:34:35 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0944 https://access.redhat.com/errata/RHSA-2024:0944


Note You need to log in before you can comment on or make changes to this bug.