Lucene search
UnknownNODEJS:1421HistoryNov 29, 2019 - 7:18 p.m.
Cross-Site Scripting
2019-11-2919:18:16
Unknown
www.npmjs.com
12
0.001 Low
EPSS
Percentile
36.1%
Overview
Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim’s browser. To be affected by this vulnerability, the application needs to:
- be a server-side React app
- be rendered to HTML using
ReactDOMServer - include an attribute name from user input in an HTML tag
Recommendation
If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| react-dom | eq | 16.0.0 || >=16.1.0 <16.1.2 || 16.2.0 || >=16.3.0 <16.3.3 || >=16.4.0 <16.4.2 |
Related
cve
cve
CVE-2018-6341
2018-12-31 22:29:00
osv
osv
Cross-Site Scripting in react-dom
2019-01-04 19:05:35
CVE-2018-6341
2018-12-31 22:29:00
cvelist
cvelist
CVE-2018-6341
2018-12-31 22:00:00
veracode
veracode
Cross-site Scripting (XSS)
2018-08-06 08:54:22
github
github
Cross-Site Scripting in react-dom
2019-01-04 19:05:35
prion
prion
Cross site scripting
2018-12-31 22:29:00
nvd
nvd
CVE-2018-6341
2018-12-31 22:29:00
