Description
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 4.3.1
References
Related Issues
- Options structure open to Cross-site Scripting if passed unfiltered - CVE-2021-29489
- Bootstrap Cross-site Scripting vulnerability (GHSA-pj7m-g53m-7638) - CVE-2018-14041
- Cross-site Scripting in curly-bracket-parser - CVE-2021-23416
- Cross-site Scripting in file-upload-with-preview - CVE-2021-23439
- Tags:
- npm
- react-bootstrap-table
Anything's wrong? Let us know Last updated on February 01, 2023