Skip to main content
Version: latest

CVE-2023-29400

CVE Details

CVE-2023-29400

Last Update

09/15/2024

NIST CVE Summary

Templates containing actions in unquoted HTML attributes e.g. "attr={{.}}" executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

Our Official Summary

The vulnerability in golang arises from the use of unquoted HTML attributes in templates. When these templates are executed with empty input, the resulting output may be parsed incorrectly due to HTML normalization rules. This can enable an attacker to inject arbitrary attributes into HTML tags, potentially leading to cross-site scripting (XSS) attacks or other security vulnerabilities. All the images in which this CVE is reported are 3rd party images, which do not process HTML data. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. Waiting on upsteam fixes.

CVE Severity

7.3

Status

Ongoing

Affected Products & Versions

  • Palette VerteX 4.4.18

Revision History

  • 1.0 09/15/2024 Initial Publication
  • 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products