Cross-Site Scripting Vulnerability in i18next Language Framework by i18next
CVE-2017-16010

6.1MEDIUM

Key Information:

Vendor: Hackerone
Status: I18next Node Module
Vendor: CVE Published:; 29 May 2018

What is CVE-2017-16010?

The i18next language translation framework is susceptible to a cross-site scripting vulnerability when utilizing the .init method. Specifically, if interpolation options are passed without specifying an escapeValue, the default behavior results in its value being set to undefined instead of true, leading to a misinterpretation of user input that is expected to be escaped. This oversight poses a significant security risk, as it allows unescaped user input to be processed, potentially enabling attackers to inject malicious scripts.

Affected Version(s)

i18next node module >=2.0.0 <=3.4.3

References

https://github.com/i18next/i18next/pull/826

x_refsource_MISC

https://nodesecurity.io/advisories/326

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2018
Vulnerability Reserved
Oct 29, 2017

Hackerone

What is CVE-2017-16010?

Affected Version(s)

References

CVSS V3.1

Timeline