CVE-2018-6341: Cross-site Scripting

December 31, 2018 (updated October 9, 2019)

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability.

References

nvd.nist.gov/vuln/detail/CVE-2018-6341
reactjs.org/blog/2018/08/01/react-v-16-4-2.html
twitter.com/reactjs/status/1024745321987887104

Code Behaviors & Features

Detect and mitigate CVE-2018-6341 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →