CVE-2017-16010
Cross-Site Scripting in i18next
Description
Affected versions of `i18next` may fail to sanitize user input when certain configuration options are used. When using the `.init` method, passing interpolation options without passing an `escapeValue` will default to `undefined` rather than the assumed `true`. ## Proof of Concept ```js var init = i18n.init({ interpolation: { prefix: "__", suffix: "__", escapeValue: true } }, function(){ var test = i18n.t('__firstName__ __lastName__', { firstName: 'Bob', lastName: '["foo","bar"]', }); console.log(test); }); ``` When `escapeValue` is explicitly passed, the result of `test` is: ```html <script>alert(1)</script> Johnson ``` This is supposed to be the default. However, if `escapeValue` is not included, the result is the unescaped string: ```html <script>alert(1)</script> Johnson ``` ## Recommendation Update to version 3.4.4 or later.
How to fix CVE-2017-16010
To remediate CVE-2017-16010, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.4 or later
Is CVE-2017-16010 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.0.0, < 3.4.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |