Affected versions of react-dom
are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim’s browser. To be affected by this vulnerability, the application needs to:
ReactDOMServer
If you are using react-dom
16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom
16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom
16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom
16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom
16.4.x, upgrade to 16.4.2 or later.