CVE-2017-16010 – i18next

Package

Manager: npm
Name: i18next
Vulnerable Version: >=2.0.0 <3.4.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00223 pctl0.44865

Details

Cross-Site Scripting in i18next Affected versions of `i18next` may fail to sanitize user input when certain configuration options are used. When using the `.init` method, passing interpolation options without passing an `escapeValue` will default to `undefined` rather than the assumed `true`. ## Proof of Concept ```js var init = i18n.init({ interpolation: { prefix: "__", suffix: "__", escapeValue: true } }, function(){ var test = i18n.t('__firstName__ __lastName__', { firstName: 'Bob', lastName: '["foo","bar"]', }); console.log(test); }); ``` When `escapeValue` is explicitly passed, the result of `test` is: ```html &lt;script&gt;alert(1)&lt;&#x2F;script&gt; Johnson ``` This is supposed to be the default. However, if `escapeValue` is not included, the result is the unescaped string: ```html <script>alert(1)</script> Johnson ``` ## Recommendation Update to version 3.4.4 or later.

Metadata

Created: 2018-07-24T19:58:33Z
Modified: 2023-09-08T23:58:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-cmh5-qc8w-xvcq/GHSA-cmh5-qc8w-xvcq.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-cmh5-qc8w-xvcq
Finding: F008
Auto approve: 1