CVE-2018-6341: XSS

First published: Mon Dec 31 2018(Updated: )

Affected versions of `react-dom` are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to: - be a server-side React app - be rendered to HTML using `ReactDOMServer` - include an attribute name from user input in an HTML tag ## Recommendation If you are using `react-dom` 16.0.x, upgrade to 16.0.1 or later. If you are using `react-dom` 16.1.x, upgrade to 16.1.2 or later. If you are using `react-dom` 16.2.x, upgrade to 16.2.1 or later. If you are using `react-dom` 16.3.x, upgrade to 16.3.3 or later. If you are using `react-dom` 16.4.x, upgrade to 16.4.2 or later.

Credit: cve-assign@fb.com cve-assign@fb.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• alias/GHSA-mvjj-gqq2-p4hw
• alias/CVE-2018-6341
• collector/github-advisory
• collector/nvd-index
• collector/nvd-cve
• agent/author
• agent/references
• agent/type
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/weakness
• agent/severity
• agent/tags
• agent/description
• agent/first-publish-date
• agent/event
• agent/trending
• package-manager/npm
• vendor/facebook
• canonical/facebook react
• version/facebook react/16.0.0
• version/facebook react/16.1.0
• version/facebook react/16.2.0
• version/facebook react/16.3.0
• version/facebook react/16.4.0