Malicious Package

Overview react-test-renderer-17 is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

Malicious Package

Overview tools-access-react is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packag...

Malicious Package

Overview mobile-auth-library-react-native is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable ...

Malicious Package

Overview react-wp-viewer is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package w...

Malicious Package

Overview tools-access-react-redux is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

Malicious Package

Overview ifoodshop-react-ui is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packag...

React Webcam <= 1.2.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. reactwebcam dir='" onmouseover="alert1"...

React Webcam <= 1.2.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC reactwebcam dir='" onmouseover="alert1"...

3lc (>=2.3.84 <=2.6.4), aiocronjob (>=0.6.0 <=0.7.0) +10 more potentially affected by CVE-2023-25578 via starlite (>=1.39.0 <=1.51.16)

starlite PYPI version =1.39.0, =2.3.84, =0.6.0, =0.4.0, =0.5.1, =1.0.0, =0.1.0, =0.1.3, =1.0.0, =0.1.0, =0.8.1 - strawberry-graphql =0.168.0 Source cves: CVE-2023-25578 Source advisory: OSV:PYSEC-2023-49...

Cross-site Scripting (XSS)

react-admin is vulnerable to Cross-site Scripting XSS. The vulnerability exists because the dangerouslySetInnerHTML attribute in RichTextField.tsx does not sanitize on the client side. If the data isn't sanitized server-side, the RichTextField attribute allows an attacker to inject and execute...

@api-platform/admin (>=0.5.0 <=1.0.2), @bishoy_melek_wadie/react-admin-firebase (>=0.9.0 <=0.9.1) +69 more potentially affected by CVE-2023-25572 via react-admin (>=2.4.2 <=3.19.11)

react-admin NPM version =2.4.2, =0.5.0, =0.9.0, =0.0.1, =1.0.0, =0.6.5, =0.6.3, =0.8.11, =1.0.1, =1.0.0, =1.0.0, =1.2.0, =1.2.2 and more Source cves: CVE-2023-25572 Source advisory: OSV:GHSA-5JCR-82FH-339V...

@activitypods/react (>=2.0.0-alpha.13 <=2.2.0), @amplicode/addon-camunda (>=0.0.1-snapshot.1 <=0.0.1-snapshot.9) +56 more potentially affected by CVE-2023-25572 via react-admin (>=4.12.1 <=4.16.20)

react-admin NPM version =4.12.1, =2.0.0-alpha.13, =0.0.1-snapshot.1, =0.0.1-snapshot.1, =0.0.1, =3.0.0, =1.0.10, =0.0.1, =0.0.1, =0.0.1, =1.0.0, =0.0.4, =0.1.33, =4.0.0, =1.1.0, =1.0.0, =1.6.7 and more Source cves: CVE-2023-25572 Source advisory: OSV:GHSA-5JCR-82FH-339V...

Cross-Site-Scripting attack on `<RichTextField>`

Impact All React applications built with react-admin and using the are affected. outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting XSS attack. Proof of concept: jsx import...

GHSA-5JCR-82FH-339V Cross-Site-Scripting attack on `<RichTextField>`

Impact All React applications built with react-admin and using the are affected. outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting XSS attack. Proof of concept: jsx import...

@activitypods/react (>=2.0.0-alpha.13 <=2.2.0), @amplicode/addon-camunda (>=0.0.1-snapshot.1 <=0.0.1-snapshot.9) +58 more potentially affected by CVE-2023-25572 via ra-ui-materialui (>=4.12.0 <=4.16.20)

ra-ui-materialui NPM version =4.12.0, =2.0.0-alpha.13, =0.0.1-snapshot.1, =0.0.1-snapshot.1, =0.0.1, =3.0.0, =1.0.10, =0.0.1, =0.0.1, =0.0.1, =1.0.0, =0.0.4, =0.1.33, =4.0.0, =1.1.0, =1.0.0, =1.6.7 and more Source cves: CVE-2023-25572 Source advisory: OSV:GHSA-5JCR-82FH-339V...

CVE-2023-25572

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

Cross site scripting

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...