CVE-2024-43370 — gettext.js has a Cross-site Scripting injection

Description

### Impact Possible vulnerability to XSS injection if .po dictionary definition files is corrupted ### Patches Update gettext.js to 2.0.3 ### Workarounds Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.

How to fix CVE-2024-43370

To remediate CVE-2024-43370, upgrade the affected package to a fixed version below.

—upgrade to 0.7.0-2+deb11u1 or later
—upgrade to 2.0.3 or later

Is CVE-2024-43370 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.7.0-2+deb11u1
from 0, < 2.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-43370
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-43370
PATCHgithub.com/guillaumepotier/gettext.js
WEBgithub.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8