Base Score

MEDIUM5.3

CVE-2024-52809

vue-i18n is an internationalization plugin for Vue.js. In affected versions vue-i18n can be passed locale messages to `createI18n` or `useI18n`. When locale message ASTs are generated in development mode there is a possibility of Cross-site Scripting attack. This issue has been addressed in versions 9.14.2, and 10.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateNov 29, 2024, 19:15

Affected Versions(9)

@intlify/core-base(npm)

Introduced9.3.0

Fixed9.14.2

LimitN/A

vue-i18n(npm)

Introduced9.3.0

Fixed9.14.2

LimitN/A

@intlify/core(npm)

Introduced9.3.0

Fixed9.14.2

LimitN/A

@intlify/vue-i18n-core(npm)

Introduced9.3.0

Fixed9.14.2

LimitN/A

petite-vue-i18n(npm)

Introduced10.0.0

Fixed10.0.5

LimitN/A

@intlify/core-base(npm)

Introduced10.0.0

Fixed10.0.5

LimitN/A

vue-i18n(npm)

Introduced10.0.0

Fixed10.0.5

LimitN/A

@intlify/core(npm)

Introduced10.0.0

Fixed10.0.5

LimitN/A

@intlify/vue-i18n-core(npm)

Introduced10.0.0

Fixed10.0.5

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
@intlify/core-base(npm)	9.3.0	9.14.2	N/A
vue-i18n(npm)	9.3.0	9.14.2	N/A
@intlify/core(npm)	9.3.0	9.14.2	N/A
@intlify/vue-i18n-core(npm)	9.3.0	9.14.2	N/A
petite-vue-i18n(npm)	10.0.0	10.0.5	N/A
@intlify/core-base(npm)	10.0.0	10.0.5	N/A
vue-i18n(npm)	10.0.0	10.0.5	N/A
@intlify/core(npm)	10.0.0	10.0.5	N/A
@intlify/vue-i18n-core(npm)	10.0.0	10.0.5	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

5.3

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

PASSIVE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

Base Score

MEDIUM5.3

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

5.3

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

PASSIVE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

CVE-2024-52809

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateNov 29, 2024, 19:15

Package (Ecosystem)

Introduced

Fixed

Limit

@intlify/core-base(npm)

9.3.0

9.14.2

N/A

vue-i18n(npm)

9.3.0

9.14.2

N/A

@intlify/core(npm)

9.3.0

9.14.2

N/A

@intlify/vue-i18n-core(npm)

9.3.0

9.14.2

N/A

petite-vue-i18n(npm)

10.0.0

10.0.5

N/A

@intlify/core-base(npm)

10.0.0

10.0.5

N/A

vue-i18n(npm)

10.0.0

10.0.5

N/A

@intlify/core(npm)

10.0.0

10.0.5

N/A

@intlify/vue-i18n-core(npm)

10.0.0

10.0.5

N/A