CVE-2023-26131

CVSS V2 None CVSS V3 None

Description

All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/themes are vulnerable to Cross-site Scripting (XSS) via the themes.NoPage(filename, theme) function due to improper user input sanitization. Exploiting this vulnerability is possible when a file/resource is not found.

Overview

CVE ID
CVE-2023-26131

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2023-05-31T05:00:01.493Z

Last Modified Date
2023-05-31T05:00:01.493Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMXYPROTOALGERNONENGINE-3312111
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMXYPROTOALGERNONTHEMES-3312112
https://github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/engine/handlers.go%23L514
https://github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/themes/html.go%23L145
https://github.com/xyproto/algernon/blob/aab484608651852d02a8a93f40baf53ed93e639a/engine/handlers.go%23L512

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26131
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26131

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 23:20:00				Added to TrackCVE