Fluid Attacks Database

Description

Cross-Site Scripting in i18next Affected versions of i18next allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.

Proof of Concept

var init = i18n.init({debug: true}, function(){
  var test = i18n.t('__firstName__ __lastName__', {
        escapeInterpolation: true,
        firstName: '__lastNameHTML__',
        lastName: '<script>',
  });
  console.log(test);
});...

Recommendation

Update to version 1.10.3 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	i18next	>=0 <1.10.3	1.10.3

Aliases

1. CVE-2017-160082. NVD-2017-160083. OSV-2017-160084. GHSA-f89g-whpf-6q9m5. GCVE-2017-16008

References

1. https://github.com/i18next/i18next/pull/4432. https://www.npmjs.com/advisories/325