CVE-2024-24785 – Errors returned from JSON marshaling may break template escaping in html/template

https://notcve.org/view.php?id=CVE-2024-24785

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Si los errores devueltos por los métodos MarshalJSON contienen datos controlados por el usuario, se pueden usar para romper el comportamiento de escape automático contextual del paquete html/template, permitiendo acciones posteriores para inyectar contenido inesperado en las plantillas. A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into templates. • http://www.openwall.com/lists/oss-security/2024/03/08/4 https://go.dev/cl/564196 https://go.dev/issue/65697 https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg https://pkg.go.dev/vuln/GO-2024-2610 https://security.netapp.com/advisory/ntap-20240329-0008 https://access.redhat.com/security/cve/CVE-2024-24785 https://bugzilla.redhat.com/show_bug.cgi?id=2268022 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •