Miggo Logo

CVE-2016-10524: Denial of Service and Content Injection in i18n-node-angular

8.2

CVSS Score
3.0

Basic Information

EPSS Score
0.48137%
Published
2/18/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
i18n-node-angularnpm< 1.4.01.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the '/i18n/:locale/:phrase' route being registered in production. The commit diff shows this route registration was gated behind a development environment check in the fix. The translate handler (i18nRoutes.translate) attached to this route: 1) Accepts arbitrary user input via :phrase parameter without proper sanitization (CWE-74), enabling XSS 2) Provides an unauthenticated endpoint that could be flooded for DoS (CWE-400). The combination of route exposure in production and lack of input validation/sanitization in the handler makes this function vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `i**n-no**-*n*ul*r` prior to *.*.* *r* *****t** *y **ni*l o* s*rvi** *n* *ross-sit* s*riptin* vuln*r**iliti*s. T** vuln*r**iliti*s *xist in * R*ST *n*point t**t w*s *r**t** *or **v*lopm*nt purpos*s, *ut w*s not *is**l** in pro*u*tion in *

Reasoning

T** vuln*r**ility st*ms *rom t** '/i**n/:lo**l*/:p*r*s*' rout* **in* r**ist*r** in pro*u*tion. T** *ommit *i** s*ows t*is rout* r**istr*tion w*s **t** ***in* * **v*lopm*nt *nvironm*nt ****k in t** *ix. T** tr*nsl*t* **n*l*r (`i**nRout*s.tr*nsl*t*`) *