CVE-2018-6341: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

January 4, 2019 (updated January 8, 2021)

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time.

References

github.com/advisories/GHSA-mvjj-gqq2-p4hw
nvd.nist.gov/vuln/detail/CVE-2018-6341
reactjs.org/blog/2018/08/01/react-v-16-4-2.html
snyk.io/vuln/npm:react-dom:20180802
twitter.com/reactjs/status/1024745321987887104
www.npmjs.com/advisories/1421

Code Behaviors & Features

Detect and mitigate CVE-2018-6341 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →