All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting (XSS) via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of malicious scripts in the context of the target user’s browser, compromising user sessions.

Affected Packages

Go github.com/greenpau/caddy-security

Affected versions: 0 (last affected: 1.1.23)

Related CVEs

CVE-2024-21496

Key Information

GHSA ID

GHSA-ff72-ff42-c3gw

Published

February 17, 2024 6:30 AM

Last Modified

November 6, 2024 11:31 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/greenpau/caddy-security

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 2, 2025 6:46 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.