http://bugzilla.opensuse.org/show_bug.cgi?id=1176031 Bug ID: 1176031 Summary: (CVE-2020-24553) VUL-0: CVE-2020-24553: go net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jkowalczyk@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Go 1.15.1 and Go 1.14.8 address a recently reported security issue: When a Handler does not explicitly set the Content-Type header, the net/http/cgi and net/http/fcgi packages would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package. Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided. This issue is CVE-2020-24553 and Go issue https://github.com/golang/go/issues/40928 -- You are receiving this mail because: You are on the CC list for the bug.