CVE-2023-3978: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

August 2, 2023 (updated October 11, 2023)

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

References

github.com/advisories/GHSA-2wrh-6pvc-2jm9
go.dev/cl/514896
go.dev/issue/61615
nvd.nist.gov/vuln/detail/CVE-2023-3978
pkg.go.dev/vuln/GO-2023-1988

Code Behaviors & Features

Detect and mitigate CVE-2023-3978 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →