Cross-site scripting in react-bootstrap-table

Description

All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 4.3.1

References

• GHSA-2589-w6xf-983r
• snyk.io
• CVE-2021-23398
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-site scripting in bootstrap-select - CVE-2019-20921
• Bootstrap Cross-site Scripting vulnerability - bootstrap - GHSA-4p24-vmcr-4gqj - CVE-2016-10735
• Bootstrap Cross-site Scripting vulnerability - CVE-2016-10735
• Bootstrap Cross-site Scripting vulnerability - bootstrap - GHSA-7mvr-5x2g-wfc8 - CVE-2018-14042

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

react-bootstrap-table