cbcvebase.
CVE-2018-6341
published 2018-12-31

CVE-2018-6341: React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping…

PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
3.43%
87.4th percentile
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Affected

20 ranges
VendorProductVersion rangeFixed in
facebookreact>= 16.0.0 < 16.0.116.0.1
facebookreact>= 16.1.0 < 16.1.216.1.2
facebookreact>= 16.2.0 < 16.2.116.2.1
facebookreact>= 16.3.0 < 16.3.316.3.3
facebookreact>= 16.4.0 < 16.4.216.4.2
facebookreact-dom
facebookreact-dom
facebookreact-dom
facebookreact-dom
facebookreact-dom
facebookreact-dom>= 16.0.0 < unspecifiedunspecified
facebookreact-dom>= 16.0.0 < 16.0.116.0.1
facebookreact-dom>= 16.1.0 < unspecifiedunspecified
facebookreact-dom>= 16.1.0 < 16.1.216.1.2
facebookreact-dom>= 16.2.0 < unspecifiedunspecified
facebookreact-dom>= 16.2.0 < 16.2.116.2.1
facebookreact-dom>= 16.3.0 < unspecifiedunspecified
facebookreact-dom>= 16.3.0 < 16.3.316.3.3
facebookreact-dom>= 16.4.0 < unspecifiedunspecified
facebookreact-dom>= 16.4.0 < 16.4.216.4.2

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.