CVE-2024-43370 HIGH

CVE-2024-43370: gettext.js vulnerable to cross-site scripting (XSS)

Vendor Guillaumepotier

Product gettext.js

Weakness CWE-79 · XSS

Published August 15, 2024

Last update August 16, 2024

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

gettext.js is a GNU gettext port for node and the browser. There is a cross-site scripting (XSS) injection if `.po` dictionary definition files are corrupted. This vulnerability has been patched in version 2.0.3. As a workaround, control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.

Key dates

02Disclosure timeline

August 15, 2024 CVE published

August 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-43370 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2024-43370: gettext.js vulnerable to cross-site scripting (XSS)

01Description

02Disclosure timeline

03References

04Related CVE