CVE-2023-29400
CVE Details
Last Update
09/15/2024
NIST CVE Summary
Templates containing actions in unquoted HTML attributes e.g. "attr={{.}}"
executed with empty input can result in
output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary
attributes into tags.
Our Official Summary
The vulnerability in golang arises from the use of unquoted HTML attributes in templates. When these templates are executed with empty input, the resulting output may be parsed incorrectly due to HTML normalization rules. This can enable an attacker to inject arbitrary attributes into HTML tags, potentially leading to cross-site scripting (XSS) attacks or other security vulnerabilities. All the images in which this CVE is reported are 3rd party images, which do not process HTML data. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. Waiting on upsteam fixes.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX 4.4.18
Revision History
- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products