FKIE_CVE-2024-43370

Vulnerability from fkie_nvd - Published: 2024-08-16 02:15 - Updated: 2024-08-19 13:00
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
gettext.js is a GNU gettext port for node and the browser. There is a cross-site scripting (XSS) injection if `.po` dictionary definition files are corrupted. This vulnerability has been patched in version 2.0.3. As a workaround, control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.
References
security-advisories@github.comhttps://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8
security-advisories@github.comhttps://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "gettext.js is a GNU gettext port for node and the browser. There is a cross-site scripting (XSS) injection if `.po` dictionary definition files are corrupted. This vulnerability has been patched in version 2.0.3. As a workaround, control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms."
    },
    {
      "lang": "es",
      "value": "gettext.js es un puerto gettext de GNU para el nodo y el navegador. Hay una inyecci\u00f3n de Cross Site Scripting (XSS) si los archivos de definici\u00f3n del diccionario `.po` est\u00e1n da\u00f1ados. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.0.3. Como soluci\u00f3n alternativa, controle el origen del cat\u00e1logo de definiciones para evitar el uso de este defecto en la definici\u00f3n de formas plurales."
    }
  ],
  "id": "CVE-2024-43370",
  "lastModified": "2024-08-19T13:00:23.117",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-16T02:15:17.487",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.