FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified

Affected packages
go < 1.14.8,1
1.15,1 <= go < 1.15.1,1

Details

VuXML ID 67b050ae-ec82-11ea-9071-10c37b4ac2ea
Discovery 2020-08-20
Entry 2020-09-01

The Go project reports:

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin. If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

References

CVE Name CVE-2020-24553
URL https://github.com/golang/go/issues/40928