Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY4OWctd2hwZi02cTlt

Cross-Site Scripting in i18next

Affected versions of i18next allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.

Proof of Concept

var init = i18n.init({debug: true}, function(){
  var test = i18n.t('__firstName__ __lastName__', {
        escapeInterpolation: true,
        firstName: '__lastNameHTML__',
        lastName: '<script>',
  });
  console.log(test);
});
// equals "<script> &lt;script&gt;"

Recommendation

Update to version 1.10.3 or later.

Permalink: https://github.com/advisories/GHSA-f89g-whpf-6q9m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY4OWctd2hwZi02cTlt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: 8 months ago

CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-f89g-whpf-6q9m, CVE-2017-16008
References:

Repository: https://github.com/i18next/i18next
Blast Radius: 28.7

Affected Packages

npm:i18next

Dependent packages: 5,066
Dependent repositories: 49,895
Downloads: 22,204,308 last month
Affected Version Ranges: <= 1.10.2
Fixed in: 1.10.3
All affected versions: 0.0.1, 0.5.0, 0.5.1, 0.5.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.5.0, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.3, 1.7.4, 1.7.6, 1.7.8, 1.7.9, 1.7.10, 1.9.0, 1.10.0, 1.10.1, 1.10.2
All unaffected versions: 1.10.3, 1.10.4, 1.10.5, 1.10.6, 2.0.0, 2.0.1, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 5.0.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.1.0, 6.1.1, 6.1.2, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 8.0.0, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 9.0.0, 9.0.1, 9.1.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.3.0, 10.4.0, 10.4.1, 10.5.0, 10.5.1, 10.6.0, 11.0.0, 11.1.1, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.4.0, 11.5.0, 11.6.0, 11.7.0, 11.8.0, 11.9.0, 11.9.1, 11.10.0, 11.10.1, 11.10.2, 12.0.0, 12.1.0, 13.0.0, 13.0.1, 13.1.0, 13.1.1, 13.1.2, 13.1.3, 13.1.4, 13.1.5, 14.0.0, 14.0.1, 14.1.0, 14.1.1, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.0.5, 15.0.6, 15.0.7, 15.0.8, 15.0.9, 15.0.10, 15.1.0, 15.1.1, 15.1.2, 15.1.3, 16.0.0, 17.0.0, 17.0.1, 17.0.2, 17.0.3, 17.0.4, 17.0.5, 17.0.6, 17.0.7, 17.0.8, 17.0.9, 17.0.10, 17.0.11, 17.0.12, 17.0.13, 17.0.14, 17.0.15, 17.0.16, 17.0.17, 17.0.18, 17.1.0, 17.2.0, 17.3.0, 17.3.1, 18.0.0, 18.0.1, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.2.0, 19.3.0, 19.3.1, 19.3.2, 19.3.3, 19.3.4, 19.4.0, 19.4.1, 19.4.2, 19.4.3, 19.4.4, 19.4.5, 19.5.0, 19.5.1, 19.5.2, 19.5.3, 19.5.4, 19.5.5, 19.5.6, 19.6.0, 19.6.1, 19.6.2, 19.6.3, 19.7.0, 19.8.0, 19.8.1, 19.8.2, 19.8.3, 19.8.4, 19.8.5, 19.8.6, 19.8.7, 19.8.8, 19.8.9, 19.9.0, 19.9.1, 19.9.2, 20.0.0, 20.1.0, 20.2.0, 20.2.1, 20.2.2, 20.2.3, 20.2.4, 20.3.0, 20.3.1, 20.3.2, 20.3.3, 20.3.4, 20.3.5, 20.4.0, 20.5.0, 20.6.0, 20.6.1, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.2.0, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 21.2.5, 21.2.6, 21.3.0, 21.3.1, 21.3.2, 21.3.3, 21.4.0, 21.4.1, 21.4.2, 21.5.0, 21.5.1, 21.5.2, 21.5.3, 21.5.4, 21.5.5, 21.5.6, 21.6.0, 21.6.1, 21.6.2, 21.6.3, 21.6.4, 21.6.5, 21.6.6, 21.6.7, 21.6.8, 21.6.9, 21.6.10, 21.6.11, 21.6.12, 21.6.13, 21.6.14, 21.6.15, 21.6.16, 21.7.0, 21.7.1, 21.8.0, 21.8.1, 21.8.2, 21.8.3, 21.8.4, 21.8.5, 21.8.6, 21.8.7, 21.8.8, 21.8.9, 21.8.10, 21.8.11, 21.8.12, 21.8.13, 21.8.14, 21.8.15, 21.8.16, 21.9.0, 21.9.1, 21.9.2, 21.10.0, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 22.0.6, 22.0.7, 22.0.8, 22.1.0, 22.1.1, 22.1.2, 22.1.3, 22.1.4, 22.1.5, 22.2.0, 22.3.0, 22.4.0, 22.4.1, 22.4.2, 22.4.3, 22.4.4, 22.4.5, 22.4.6, 22.4.7, 22.4.8, 22.4.9, 22.4.10, 22.4.11, 22.4.12, 22.4.13, 22.4.14, 22.4.15, 22.5.0, 22.5.1, 23.0.0, 23.0.1, 23.0.2, 23.1.0, 23.2.0, 23.2.1, 23.2.2, 23.2.3, 23.2.5, 23.2.6, 23.2.7, 23.2.8, 23.2.9, 23.2.10, 23.2.11, 23.3.0, 23.4.0, 23.4.1, 23.4.2, 23.4.3, 23.4.4, 23.4.5, 23.4.6, 23.4.7, 23.4.8, 23.4.9, 23.5.0, 23.5.1, 23.6.0, 23.7.0, 23.7.1, 23.7.2, 23.7.3, 23.7.4, 23.7.5, 23.7.6, 23.7.7, 23.7.8, 23.7.9, 23.7.10, 23.7.11, 23.7.12, 23.7.13, 23.7.14, 23.7.15, 23.7.16, 23.7.17, 23.7.18, 23.7.19, 23.7.20, 23.8.0, 23.8.1, 23.8.2, 23.8.3, 23.9.0, 23.10.0, 23.10.1, 23.11.0, 23.11.1, 23.11.2, 23.11.3