Vulnerability Description
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| I18Next | I18Next | >= 2.0.0, <= 3.4.3 |
Related Weaknesses (CWE)
References
- https://github.com/i18next/i18next/pull/826ExploitIssue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/326ExploitThird Party Advisory
- https://github.com/i18next/i18next/pull/826ExploitIssue TrackingThird Party Advisory
- https://nodesecurity.io/advisories/326ExploitThird Party Advisory
FAQ
What is CVE-2017-16010?
CVE-2017-16010 is a vulnerability with a CVSS score of 6.1 (MEDIUM). i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can ...
How severe is CVE-2017-16010?
CVE-2017-16010 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-16010?
Check the references section above for vendor advisories and patch information. Affected products include: I18Next I18Next.