CVE-2023-24540 - Denial of Service (DoS
Severity: None2025-03-11
Abstract
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Web Author v7.0 and older | None | Oxygen Content Fusion 7.1 build 2024100818 |
Detail
CVE-2023-24540
Severity: Critical
CVSS Score: 9.8
The gosu third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-24540 vulnerability description. However, Oxygen Content Fusion does not use Go templates. For that reason Oxygen products are not affected by this vulnerability.
Starting with Oxygen Content Fusion v7.1 build 2024100818 gosu library was removed.