Cross-Site Scripting in react - react

Description

Affected versions of react are vulnerable to Cross-Site Scripting (XSS). The package fails to properly sanitize input used to create keys. This may allow attackers to execute arbitrary JavaScript if a key is generated from user input.

Recommendation

Update the react package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 0.5.0, < 0.5.2

  >= 0.4.0, < 0.4.2**

• Patched version(s): **0.5.2

  0.4.2**

References

• GHSA-g53w-52xc-2j85
• reactjs.org
• snyk.io
• CVE-2013-7035
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-site scripting in react-bootstrap-table - CVE-2021-23398
• Node Connect Reflected Cross-Site Scripting in Sencha Labs Connect middleware - CVE-2013-7371
• jplayer Cross Site Scripting vulnerability - CVE-2013-2022
• methodOverride Middleware Reflected Cross-Site Scripting in connect - CVE-2013-7370

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

react