CVE-2017-16008

MEDIUM6.1EPSS 0.22%

Cross-Site Scripting in i18next

發布日:2018/11/9修改日:2023/11/8

描述

Affected versions of `i18next` allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability. ## Proof of Concept ```js var init = i18n.init({debug: true}, function(){ var test = i18n.t('__firstName__ __lastName__', { escapeInterpolation: true, firstName: '__lastNameHTML__', lastName: '<script>', }); console.log(test); }); // equals "<script> <script>" ``` ## Recommendation Update to version 1.10.3 or later.

受影響套件(1)

npm/i18nextfrom 0, < 1.10.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

參考連結(4)

ADVISORYhttps://github.com/advisories/GHSA-f89g-whpf-6q9m
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16008
WEBhttps://github.com/i18next/i18next/pull/443
WEBhttps://www.npmjs.com/advisories/325