CVE-2020-24553 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Cross-site scripting
Description	In Go versions before 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1215	go	1.15.0-1	1.15.1-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
03 Sep 2020	ASA-202009-3	AVG-1215	go	Medium	cross-site scripting

References
https://github.com/golang/go/issues/40928 https://www.redteam-pentesting.de/advisories/rt-sa-2020-004 https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs/m/UccMwBPUBAAJ https://github.com/golang/go/commit/eb07103a083237414145a45f029c873d57037e06

References

https://github.com/golang/go/issues/40928
https://www.redteam-pentesting.de/advisories/rt-sa-2020-004
https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs/m/UccMwBPUBAAJ
https://github.com/golang/go/commit/eb07103a083237414145a45f029c873d57037e06