Launchpad CVE tracker

CVE 2024-24785

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

Related bugs and status

CVE-2024-24785 (Candidate) is related to these bugs:

Bug #2056309: Sync golang-1.21 1.21.8-1 (main) from Debian unstable (main)

Summary				In	Importance	Status
	2056309	Sync golang-1.21 1.21.8-1 (main) from Debian unstable (main)		golang-1.21 (Ubuntu)	Wishlist	Fix Released

Bug #2056310: Sync golang-1.22 1.22.1-1 (main) from Debian unstable (main)

Summary				In	Importance	Status
	2056310	Sync golang-1.22 1.22.1-1 (main) from Debian unstable (main)		golang-1.22 (Ubuntu)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://go.dev/cl/564196
MISC: https://go.dev/issue/6...
MISC: https://groups.google....
MISC: https://pkg.go.dev/vul...
CONFIRM: https://security.netap...
MLIST: [oss-security] 2024030...

Launchpad.net

CVE 2024-24785

Related bugs and status

Related bugs

References