Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24553
Reference (s):
- https://security.netapp.com/advisory/ntap-20200924-0003/
- URL: https://security.netapp.com/advisory/ntap-20200924-0003/
- FEDORA:FEDORA-2020-741cfa13d0
- URL: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CZBO7Q73GGWBVYIKNH2HNN44Q5IQND5W/
- FULLDISC:20200902 [RT-SA-2020-004] Inconsistent Behavior of Go’s CGI and FastCGI Transport May Lead to Cross-Site Scripting