CVE-2023-3978: 
Terraform Community vulnerability analysis and mitigation

A vulnerability was discovered in golang.org/x/net/html package where text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be rendered properly. The vulnerability, identified as CVE-2023-3978, was published on August 2, 2023, and affects versions before v0.13.0 (Go Vuln DB).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue specifically relates to the improper handling of text nodes outside the HTML namespace, where the content is literally rendered instead of being properly escaped (NVD).

This vulnerability could potentially lead to Cross-Site Scripting (XSS) attacks. The CVSS scoring indicates that the vulnerability has low impact on both confidentiality and integrity, with no impact on availability. The attack requires user interaction and can be executed remotely without requiring privileges (NVD).

Users are advised to upgrade to golang.org/x/net/html version v0.13.0 or later to address this vulnerability. The fix has been implemented and is available through the official release channels (Go Vuln DB).