FreeBSD: VID-67B050AE-EC82-11EA-9071-10C37B4AC2EA (CVE-2020-24553): go -- net/http/cgi, net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-67B050AE-EC82-11EA-9071-10C37B4AC2EA:
The Go project reports:
When a Handler does not explicitly set the Content-Type header, both
CGI implementations default to “text/html”. If an attacker can make
a server generate content under their control (e.g. a JSON
containing user data or an uploaded image file) this might be
mistakenly returned by the server as “text/html”. If a victim visits
such a page they could get the attacker's code executed in the
context of the server origin. If an attacker can make a server
generate content under their control (e.g. a JSON containing user
data or an uploaded image file) this might be mistakenly returned by
the server as “text/html”. If a victim visits such a page they could
get the attacker's code executed in the context of the server
origin.
Solution(s)
- freebsd-upgrade-package-go
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center