Skip to main content
Version: latest

CVE-2023-24540

CVE Details

CVE-2023-24540

Last Update

09/15/2024

NIST CVE Summary

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Our Official Summary

This is a vulnerability affecting the Golang Go software, specifically the html/template package. This issue arises from improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template package with JavaScript contexts containing actions and specific whitespace characters. The images in which vulnerabilities are report do not use the html package. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. There is a upstream fix available, we will upgrade to that version.

CVE Severity

9.8

Status

Ongoing

Affected Products & Versions

  • Palette VerteX 4.4.18

Revision History

  • 1.0 09/15/2024 Initial Publication
  • 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products