Vulnerability identifier: #VU32784
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-400
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
i18next
Web applications /
Modules and components for CMS
Vendor: i18next
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper input validation in the "AddResourceBundle" API which uses the "deepExtend" function. A remote attacker can overwrite and pollute the object prototype of a program.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
i18next: 1.6.0 - 19.5.6
External links
http://snyk.io/vuln/SNYK-JS-I18NEXT-585930
http://github.com/i18next/i18next/pull/1482
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.