Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12d2hnLWp3cjQtdnhnZ84AA-rw
gettext.js has a Cross-site Scripting injection
Impact
Possible vulnerability to XSS injection if .po dictionary definition files is corrupted
Patches
Update gettext.js to 2.0.3
Workarounds
Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.
Permalink: https://github.com/advisories/GHSA-vwhg-jwr4-vxggJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12d2hnLWp3cjQtdnhnZ84AA-rw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-vwhg-jwr4-vxgg, CVE-2024-43370
References:
- https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
- https://nvd.nist.gov/vuln/detail/CVE-2024-43370
- https://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8
- https://github.com/advisories/GHSA-vwhg-jwr4-vxgg
Blast Radius: 14.1
Affected Packages
npm:gettext.js
Dependent packages: 21Dependent repositories: 91
Downloads: 16,752 last month
Affected Version Ranges: < 2.0.3
Fixed in: 2.0.3
All affected versions: 0.0.1, 0.3.0, 0.5.2, 0.5.3, 0.5.5, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 1.0.0, 1.0.1, 1.1.1, 1.2.0, 2.0.0, 2.0.1, 2.0.2
All unaffected versions: 2.0.3