vulnerability
FreeBSD: VID-67B050AE-EC82-11EA-9071-10C37B4AC2EA (CVE-2020-24553): go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Aug 20, 2020 | Sep 2, 2020 | Oct 20, 2020 |
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-67B050AE-EC82-11EA-9071-10C37B4AC2EA:
The Go project reports:
When a Handler does not explicitly set the Content-Type header, both
CGI implementations default to “text/html”. If an attacker can make
a server generate content under their control (e.g. a JSON
containing user data or an uploaded image file) this might be
mistakenly returned by the server as “text/html”. If a victim visits
such a page they could get the attacker's code executed in the
context of the server origin. If an attacker can make a server
generate content under their control (e.g. a JSON containing user
data or an uploaded image file) this might be mistakenly returned by
the server as “text/html”. If a victim visits such a page they could
get the attacker's code executed in the context of the server
origin.
Solution
References

Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.