CVE-2024-22199 is a critical Cross-Site Scripting (XSS) vulnerability found in the gofiber/template package, a component used for rendering templates within the Fiber web framework. This vulnerability allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to data theft or account takeover. The vulnerability affects versions 3.1.0 up to, but not including, 3.1.9. A fix has been released in version 3.1.9, which enables autoescape by default.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into a web page, which would then execute in the context of the user's browser. This could allow the attacker to steal sensitive information, such as cookies or session tokens, or to redirect the user to a malicious website. Furthermore, attackers could potentially deface the website or perform actions on behalf of the user without their knowledge. The ease of exploitation, combined with the potential for widespread impact, makes this a high-priority vulnerability to address. The use of gofiber/template in numerous Go web applications increases the potential attack surface.
This vulnerability was publicly disclosed on January 11, 2024. There are currently no known active campaigns exploiting this specific CVE, but the ease of exploitation and the widespread use of gofiber/template make it a potential target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the nature of the vulnerability and its public disclosure.
Applications built with the Fiber web framework that utilize the gofiber/template package and are running versions 3.1.0 through 3.1.8 are at risk. This includes applications that directly render user-supplied data within templates without proper sanitization or encoding. Developers who have not recently reviewed their template usage are also at increased risk.
• go module: Check your go.mod file for gofiber/template versions below 3.1.9. Use go list -m all to identify dependencies and versions.
go list -m all | grep gofiber/template• generic web: Inspect web application logs for unusual JavaScript execution patterns or attempts to inject <script> tags. Look for error messages related to template rendering.
• generic web: Use a web proxy (e.g., Burp Suite) to intercept and analyze HTTP requests and responses for signs of XSS payloads.
disclosure
漏洞利用状态
EPSS
1.37% (80% 百分位)
CVSS 向量
The primary mitigation for CVE-2024-22199 is to upgrade to version 3.1.9 or later of the gofiber/template package. This version includes a fix that enables autoescape by default, which effectively prevents the injection of malicious scripts. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data before rendering it through the template engine. While not a complete solution, this can reduce the risk of exploitation. Review your application's template usage to ensure that user-supplied data is properly sanitized and escaped. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a form field and verifying that the script is not executed.
升级 `gofiber/template` 库到最新可用版本。该漏洞通过默认配置 autoescape 为 `true` 来解决。请确保您的应用程序使用具有此配置启用的库版本。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-22199 is a critical XSS vulnerability in the gofiber/template package, allowing attackers to inject malicious scripts into web pages. It affects versions 3.1.0 through 3.1.8.
You are affected if your application uses gofiber/template version 3.1.0 through 3.1.8 and renders user-supplied data within templates without proper sanitization.
Upgrade to version 3.1.9 or later of the gofiber/template package. This enables autoescape by default, mitigating the XSS risk.
While there are no confirmed active campaigns, the vulnerability's ease of exploitation makes it a potential target.
Refer to the gofiber/template repository on GitHub for updates and advisories: https://github.com/gofiber/template
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。