CVE-2023-24540
CVE Details
Last Update
09/15/2024
NIST CVE Summary
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Our Official Summary
This is a vulnerability affecting the Golang Go software, specifically the html/template package. This issue arises from improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template package with JavaScript contexts containing actions and specific whitespace characters. The images in which vulnerabilities are report do not use the html package. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. There is a upstream fix available, we will upgrade to that version.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX 4.4.18
Revision History
- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products