GHSA-hg79-j56m-fxgv

Опубликовано: 04 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Cross-Site Scripting in react

Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 0.14.0 or later.

Ссылки

https://reactjs.org/blog/2015/10/07/react-v0.14.html#notable-enhancements
https://reactjs.org/blog/2019/10/22/react-release-channels.html#experimental-channel
https://snyk.io/vuln/npm:react:20150318
https://www.npmjs.com/advisories/1347
http://danlec.com/blog/xss-via-a-spoofed-react-element

Пакеты

Наименование

react

npm

Затронутые версииВерсия исправления

>= 0.0.1, < 0.14.0

0.14.0

Дефекты

CWE-79

Дефекты

CWE-79