GitHub Advisory DatabaseGHSA-CMH5-QC8W-XVCQCross-Site Scripting in i18next
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
41.5%
Affected versions of i18next may fail to sanitize user input when certain configuration options are used. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true.
Proof of Concept
var init = i18n.init({
interpolation: {
prefix: "__",
suffix: "__",
escapeValue: true
}
}, function(){
var test = i18n.t('__firstName__ __lastName__', {
firstName: 'Bob',
lastName: '["foo","bar"]',
});
console.log(test);
});
When escapeValue is explicitly passed, the result of test is:
<script>alert(1)</script> Johnson
This is supposed to be the default. However, if escapeValue is not included, the result is the unescaped string:
<script>alert(1)</script> Johnson
Recommendation
Update to version 3.4.4 or later.
Affected configurations
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
41.5%