Source: gettext.js Version: 0.7.0-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for gettext.js. CVE-2024-43370[0]: | gettext.js is a GNU gettext port for node and the browser. There is | a cross-site scripting (XSS) injection if `.po` dictionary | definition files are corrupted. This vulnerability has been patched | in version 2.0.3. As a workaround, control the origin of the | definition catalog to prevent the use of this flaw in the definition | of plural forms. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43370 https://www.cve.org/CVERecord?id=CVE-2024-43370 [1] https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg [2] https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c Regards, Salvatore
