vulnerability

FreeBSD: VID-67B050AE-EC82-11EA-9071-10C37B4AC2EA (CVE-2020-24553): go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Aug 20, 2020
Added
Sep 2, 2020
Modified
Oct 20, 2020

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.


From VID-67B050AE-EC82-11EA-9071-10C37B4AC2EA:




The Go project reports:



When a Handler does not explicitly set the Content-Type header, both


CGI implementations default to “text/html”. If an attacker can make


a server generate content under their control (e.g. a JSON


containing user data or an uploaded image file) this might be


mistakenly returned by the server as “text/html”. If a victim visits


such a page they could get the attacker's code executed in the


context of the server origin. If an attacker can make a server


generate content under their control (e.g. a JSON containing user


data or an uploaded image file) this might be mistakenly returned by


the server as “text/html”. If a victim visits such a page they could


get the attacker's code executed in the context of the server


origin.




Solution

freebsd-upgrade-package-go
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.