Django テンプレートエンジンにおける XSS 脆弱性

The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into a web page, which would then execute in the context of the user's browser. This could allow the attacker to steal sensitive information, such as cookies or session tokens, or to redirect the user to a malicious website. Furthermore, attackers could potentially deface the website or perform actions on behalf of the user without their knowledge. The ease of exploitation, combined with the potential for widespread impact, makes this a high-priority vulnerability to address. The use of gofiber/template in numerous Go web applications increases the potential attack surface.

Applications built with the Fiber web framework that utilize the gofiber/template package and are running versions 3.1.0 through 3.1.8 are at risk. This includes applications that directly render user-supplied data within templates without proper sanitization or encoding. Developers who have not recently reviewed their template usage are also at increased risk.

• go module: Check your go.mod file for gofiber/template versions below 3.1.9. Use go list -m all to identify dependencies and versions.

go list -m all | grep gofiber/template

• generic web: Inspect web application logs for unusual JavaScript execution patterns or attempts to inject <script> tags. Look for error messages related to template rendering. • generic web: Use a web proxy (e.g., Burp Suite) to intercept and analyze HTTP requests and responses for signs of XSS payloads.

1. 2024-01-11Disclosure

   disclosure

1. 予約済み2024-01-08
2. 公開日2024-01-11
3. 更新日2024-11-14
4. EPSS 更新日2026-04-02

The primary mitigation for CVE-2024-22199 is to upgrade to version 3.1.9 or later of the gofiber/template package. This version includes a fix that enables autoescape by default, which effectively prevents the injection of malicious scripts. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data before rendering it through the template engine. While not a complete solution, this can reduce the risk of exploitation. Review your application's template usage to ensure that user-supplied data is properly sanitized and escaped. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a form field and verifying that the script is not executed.