GHSA-vwhg-jwr4-vxgg

Suggest an improvement
Source
https://github.com/advisories/GHSA-vwhg-jwr4-vxgg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-vwhg-jwr4-vxgg/GHSA-vwhg-jwr4-vxgg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vwhg-jwr4-vxgg
Aliases
Published
2024-08-15T18:06:50Z
Modified
2024-08-16T18:15:39Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
gettext.js has a Cross-site Scripting injection
Details

Impact

Possible vulnerability to XSS injection if .po dictionary definition files is corrupted

Patches

Update gettext.js to 2.0.3

Workarounds

Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.

Database specific 
{
    "nvd_published_at": "2024-08-16T02:15:17Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-15T18:06:50Z"
}
References

Affected packages

npm / gettext.js

Package

Name
gettext.js
View open source insights on deps.dev
Purl
pkg:npm/gettext.js

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.3