Published: 02/09/2020 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Go prior to 1.14.8 and 1.15.x prior to 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.

Vulnerable Product	Search on Vulmon	Subscribe to Product
golang go
fedoraproject fedora 33
opensuse leap 15.1
opensuse leap 15.2
oracle communications cloud native core policy 1.5.0

Debian Bug report logs - #969661 golang-115: CVE-2020-24553 Package: src:golang-115; Maintainer for src:golang-115 is Go Compiler Team <team+go-compiler@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 6 Sep 2020 19:09:05 UTC Severity: important Tags: security, upstream Found ...

Synopsis Moderate: Red Hat OpenShift Serverless Client kn 1120 Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Serverless Client kn 1120Red Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score,which g ...

Synopsis Moderate: go-toolset:rhel8 security update Type/Severity Security Advisory: Moderate Topic An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring ...

Synopsis Moderate: Release of OpenShift Serverless 1120 Type/Severity Security Advisory: Moderate Topic Release of OpenShift Serverless 1120Red Hat Product Security has rated this update as having a security impactof Moderate A Common Vulnerability Scoring System (CVSS) base score,which gives a detaile ...

Go before 1148 and 115x before 1151 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header (CVE-2020-24553) ...

In Go versions before 1151 and 1148 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response ...

The CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content In contrast to the documented behavior, they may return non-HTML data as HTML This may lead to cross site scripting vulnerabilities even if uploaded data has been validated during upload Versions 115 and 11 ...

Full Disclosure mailing list archives   By Date By Thread </form>    [RT-SA-2020-004] Inconsistent Behavior of Go's CGI and FastCGI Transport May Lead to Cross-Site Scripting <!--X-Subjec ...

CWE-79 http://seclists.org/fulldisclosure/2020/Sep/5 http://packetstormsecurity.com/files/159049/Go-CGI-FastCGI-Transport-Cross-Site-Scripting.html https://security.netapp.com/advisory/ntap-20200924-0003/http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00002.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://www.redteam-pentesting.de/advisories/rt-sa-2020-004 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/https://groups.google.com/forum/#%21topic/golang-announce/8wqlSbkLdPs https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969661 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2020-1554.html

CVE-2020-24553

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Mailing Lists

References

Vulmon Search

About

Products

Connect