Miggo Logo

CVE-2017-16010: Cross-Site Scripting in i18next

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.45009%
Published
7/24/2018
Updated
9/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
i18nextnpm>= 2.0.0, < 3.4.43.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security patch modifies the Interpolator constructor's handling of the escapeValue option. In vulnerable versions, when escapeValue wasn't explicitly provided in interpolation options, it remained undefined rather than defaulting to true. This constructor is directly responsible for initializing the escaping behavior, and its incorrect default value propagation would appear in any stack trace initializing the i18n instance with vulnerable configuration. The interpolate() method that processes values would inherit this insecure configuration, but the root cause is in the constructor's initialization logic as shown in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `i**n*xt` m*y **il to s*nitiz* us*r input w**n **rt*in *on*i*ur*tion options *r* us**. W**n usin* t** `.init` m*t*o*, p*ssin* int*rpol*tion options wit*out p*ssin* *n `*s**p*V*lu*` will ****ult to `un***in**` r*t**r t**n t** *ssu

Reasoning

T** s**urity p*t** mo*i*i*s t** Int*rpol*tor *onstru*tor's **n*lin* o* t** *s**p*V*lu* option. In vuln*r**l* v*rsions, w**n `*s**p*V*lu*` w*sn't *xpli*itly provi*** in int*rpol*tion options, it r*m*in** un***in** r*t**r t**n ****ultin* to tru*. T*is