CVE-2021-23398

medium

Description

All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.

References

https://snyk.io/vuln/SNYK-JS-REACTBOOTSTRAPTABLE-1314285

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314286

https://github.com/AllenFang/react-bootstrap-table/issues/2071

https://github.com/AllenFang/react-bootstrap-table/blob/26d07defab759e4f9bce22d1d568690830b8d9d7/src/TableBody.js%23L114-L118

Details

Source: Mitre, NVD

Published: 2021-06-24

Updated: 2021-06-30

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00419