The CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content. In contrast to the documented behavior, they may return non-HTML data as HTML. This may lead to cross-site scripting vulnerabilities even if uploaded data has been validated during upload.
Details
=======
Product: Go
Affected Versions: <= 1.14.7, 1.15
Fixed Versions: 1.14.8, 1.15.1
Vulnerability Type: Cross-Site Scripting
Security Risk: medium
Vendor URL:
https://golang.orgVendor Status: fixed version released
Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2020-004Advisory Status: published
CVE: CVE-2020-24553
CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24553Introduction
============
The Go standard library defines the ResponseWriter[1] interface in the net/http package for HTTP services. It allows serving content via arbitrary transports so the handler functions can be written without a specific transport in mind. The standard library contains an HTTP server implementation as well as CGI and FastCGI protocol implementations. The library also contains a mock implementation called ResponseRecorder[2] in the net/http/httptest package for use in testing. There may even be more implementations outside the standard library.
Read the full article @
https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-lead-to-cross-site-scripting