CVE-2018-6341

Name of the Vulnerable Software and Affected Versions react-dom versions 16.0.0 through 16.0.0 react-dom versions 16.1.0 through 16.1.1 react-dom versions 16.2.0 through 16.2.0 react-dom versions 16.3.0 through 16.3.2 react-dom versions 16.4.0 through 16.4.1

Description The issue is related to a cross-site scripting vulnerability in React applications that render to HTML using the ReactDOMServer API. The lack of escaping of user-supplied attribute names at render-time could lead to this vulnerability. This may allow attackers to execute arbitrary JavaScript in the victim's browser. The application needs to be a server-side React app, rendered to HTML using ReactDOMServer, and include an attribute name from user input in an HTML tag to be affected by this vulnerability.

Recommendations If you are using react-dom 16.0.x, upgrade to 16.0.1 or later. If you are using react-dom 16.1.x, upgrade to 16.1.2 or later. If you are using react-dom 16.2.x, upgrade to 16.2.1 or later. If you are using react-dom 16.3.x, upgrade to 16.3.3 or later. If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.