Lucene search
GoogleOSV:GO-2021-0226HistoryJan 13, 2022 - 3:44 a.m.
Cross-site scripting in net/http/cgi and net/http/fcgi
2022-01-1303:44:58
Google
osv.dev
19
cross-site scripting
net/http/cgi
net/http/fcgi
content-type header
http.detectcontenttype
attacker-controlled file
vulnerability
When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.
The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.
Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.
Related
nessus
nessus
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Go vulnerability (USN-4758-1)
2021-03-23 00:00:00
EulerOS 2.0 SP8 : golang (EulerOS-SA-2020-2512)
2020-12-14 00:00:00
SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2020:2776-1)
2020-12-09 00:00:00
ubuntu
ubuntu
Go vulnerability
2021-03-08 00:00:00
ibm
ibm
amazon
amazon
Medium: golang
2020-11-14 01:22:00
Medium: golang
2020-11-09 17:10:00
suse
suse
Security update for go1.14 (moderate)
2020-10-01 00:00:00
Security update for go1.14 (moderate)
2020-10-02 00:00:00
openvas
openvas
openSUSE: Security Advisory for go1.14 (openSUSE-SU-2020:1587-1)
2020-10-02 00:00:00
openSUSE: Security Advisory for go1.14 (openSUSE-SU-2020:1584-1)
2020-10-02 00:00:00
Ubuntu: Security Advisory (USN-4758-1)
2021-03-09 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.15.2-alt1
2020-09-11 00:00:00
Security fix for the ALT Linux 9 package golang version 1.15.2-alt1
2020-09-11 00:00:00
alpinelinux
alpinelinux
CVE-2020-24553
2020-09-02 17:15:12
ubuntucve
ubuntucve
CVE-2020-24553
2020-09-02 00:00:00
veracode
veracode
Cross-Site Scripting (XSS)
2020-09-03 06:29:59
debiancve
debiancve
CVE-2020-24553
2020-09-02 17:15:12
nvd
nvd
CVE-2020-24553
2020-09-02 17:15:12
archlinux
archlinux
[ASA-202009-3] go: cross-site scripting
2020-09-03 00:00:00
freebsd
freebsd
cve
cve
CVE-2020-24553
2020-09-02 17:15:12
osv
osv
BIT-golang-2020-24553
2024-03-06 11:07:58
GO-2021-0143
2022-02-17 18:15:47
golang-1.10, golang-1.14 vulnerability
2021-03-08 19:10:40
cbl_mariner
cbl_mariner
CVE-2020-24553 affecting package python-tensorboard for versions less than 2.16.2-2
2024-07-24 01:44:36
CVE-2020-24553 affecting package golang 1.13.15-2
2020-11-30 19:30:55
prion
prion
Type confusion
2020-09-02 17:15:00
packetstorm
packetstorm
Go CGI / FastCGI Transport Cross Site Scripting
2020-09-02 00:00:00
mageia
mageia
Updated golang packages fix a security vulnerability
2020-11-15 18:45:05
cvelist
cvelist
CVE-2020-24553
2020-09-02 16:25:52
fedora
fedora
[SECURITY] Fedora 33 Update: golang-1.15.1-1.fc33
2020-09-25 17:16:07
redhatcve
redhatcve
CVE-2020-24553
2020-09-02 13:19:56
redhat
redhat
(RHSA-2020:5493) Moderate: go-toolset:rhel8 security update
2020-12-15 16:02:27
(RHSA-2021:0145) Moderate: Red Hat OpenShift Serverless Client kn 1.12.0
2021-01-14 13:24:15
(RHSA-2021:0146) Moderate: Release of OpenShift Serverless 1.12.0
2021-01-14 13:24:22
almalinux
almalinux
Moderate: go-toolset:rhel8 security update
2020-12-15 16:02:27
oraclelinux
oraclelinux
go-toolset:ol8 security update
2020-12-22 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2021-0248
2021-06-04 00:00:00
Important Photon OS Security Update - PHSA-2021-3.0-0248
2021-06-04 00:00:00
Critical Photon OS Security Update - PHSA-2022-0476
2022-03-03 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00
Oracle Critical Patch Update Advisory - April 2021
2021-04-20 00:00:00