---

CVE-2020-24553 - log back

CVE-2020-24553 edited at 02 Sep 2020 07:18:03
Severity	- Unknown + Medium

CVE-2020-24553 edited at 02 Sep 2020 03:54:01
References	https://github.com/golang/go/issues/40928 https://www.redteam-pentesting.de/advisories/rt-sa-2020-004 https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs/m/UccMwBPUBAAJ + https://github.com/golang/go/commit/eb07103a083237414145a45f029c873d57037e06

CVE-2020-24553 created at 02 Sep 2020 03:33:05
Severity	+ Unknown
Remote	+ Remote
Type	+ Cross-site scripting
Description	+ In Go versions before 1.15.1 and 1.14.8 if the Content-Type header of a Handler was not explicitly set the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response.
References	+ https://github.com/golang/go/issues/40928 + https://www.redteam-pentesting.de/advisories/rt-sa-2020-004 + https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs/m/UccMwBPUBAAJ
Notes