Description
Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package’s createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim’s browser.
Recommendation
Update the react package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.0.1, < 0.14.0
- Patched version(s): 0.14.0
References
Related Issues
- Prototype Pollution in lodash - CVE-2018-3721
- Cross-site Scripting in quill - CVE-2021-3163
- Prototype Pollution in async - CVE-2021-43138
- Joplin Remote Code Execution - CVE-2022-40277
- Tags:
- npm
- react
Anything's wrong? Let us know Last updated on January 09, 2023