{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43370", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-09T14:23:55.513Z", "datePublished": "2024-08-15T23:44:47.808Z", "dateUpdated": "2024-08-16T15:10:20.251Z"}, "containers": {"cna": {"title": "gettext.js vulnerable to cross-site scripting (XSS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg"}, {"name": "https://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8", "tags": ["x_refsource_MISC"], "url": "https://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8"}], "affected": [{"vendor": "guillaumepotier", "product": "gettext.js", "versions": [{"version": "< 2.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-15T23:44:47.808Z"}, "descriptions": [{"lang": "en", "value": "gettext.js is a GNU gettext port for node and the browser. There is a cross-site scripting (XSS) injection if `.po` dictionary definition files are corrupted. This vulnerability has been patched in version 2.0.3. As a workaround, control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms."}], "source": {"advisory": "GHSA-vwhg-jwr4-vxgg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-16T15:10:02.984428Z", "id": "CVE-2024-43370", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-16T15:10:20.251Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43370", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-16T15:10:02.984428Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-16T15:10:10.336Z"}}], "cna": {"title": "gettext.js vulnerable to cross-site scripting (XSS)", "source": {"advisory": "GHSA-vwhg-jwr4-vxgg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "guillaumepotier", "product": "gettext.js", "versions": [{"status": "affected", "version": "< 2.0.3"}]}], "references": [{"url": "https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg", "name": "https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8", "name": "https://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "gettext.js is a GNU gettext port for node and the browser. There is a cross-site scripting (XSS) injection if `.po` dictionary definition files are corrupted. This vulnerability has been patched in version 2.0.3. As a workaround, control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-15T23:44:47.808Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43370", "state": "PUBLISHED", "dateUpdated": "2024-08-16T15:10:20.251Z", "dateReserved": "2024-08-09T14:23:55.513Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-08-15T23:44:47.808Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "gettext.js is a GNU gettext port for node and the browser. There is a cross-site scripting (XSS) injection if `.po` dictionary definition files are corrupted. This vulnerability has been patched in version 2.0.3. As a workaround, control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms."}, {"lang": "es", "value": "gettext.js es un puerto gettext de GNU para el nodo y el navegador. Hay una inyecci\u00f3n de Cross Site Scripting (XSS) si los archivos de definici\u00f3n del diccionario `.po` est\u00e1n da\u00f1ados. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.0.3. Como soluci\u00f3n alternativa, controle el origen del cat\u00e1logo de definiciones para evitar el uso de este defecto en la definici\u00f3n de formas plurales."}], "id": "CVE-2024-43370", "lastModified": "2024-08-19T13:00:23.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-16T02:15:17.487", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/guillaumepotier/gettext.js/commit/8150aeba833183e14c2291a8a148b8f79d1d68d8"}, {"source": "security-advisories@github.com", "url": "https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}