cvelistv5 - cve-2018-6341

CVE-2018-6341 (GCVE-0-2018-6341)

Vulnerability from cvelistv5 – Published: 2018-12-31 22:00 – Updated: 2025-05-06 16:54

Summary

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (CWE-79)

Assigner

facebook

References

URL

Tags

	https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html	x_refsource_MISC
	https://twitter.com/reactjs/status/1024745321987887104	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Facebook	react-dom	Affected: 16.4.2 Affected: 16.4.0 , < unspecified (custom) Affected: 16.3.3 Affected: 16.3.0 , < unspecified (custom) Affected: 16.2.1 Affected: 16.2.0 , < unspecified (custom) Affected: 16.1.2 Affected: 16.1.0 , < unspecified (custom) Affected: 16.0.1 Affected: 16.0.0 , < unspecified (custom) Unaffected: unspecified , < 16.0.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:01:48.794Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/reactjs/status/1024745321987887104"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2018-6341",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T16:54:12.196558Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T16:54:17.932Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "react-dom",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "16.4.2"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.4.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.3.3"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.3.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.2.1"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.2.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.1.2"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.1.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "16.0.1"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "16.0.0",
              "status": "unaffected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2018-08-01T00:00:00.000Z",
      "datePublic": "2018-12-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-31T21:57:01.000Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/reactjs/status/1024745321987887104"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "DATE_ASSIGNED": "2018-08-01",
          "ID": "CVE-2018-6341",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "react-dom",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.4.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.4.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.3.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.3.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.2.1"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.2.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.1.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.1.0"
                          },
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "16.0.1"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "16.0.0"
                          },
                          {
                            "version_affected": "!\u003c",
                            "version_value": "16.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
              "refsource": "MISC",
              "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
            },
            {
              "name": "https://twitter.com/reactjs/status/1024745321987887104",
              "refsource": "MISC",
              "url": "https://twitter.com/reactjs/status/1024745321987887104"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2018-6341",
    "datePublished": "2018-12-31T22:00:00.000Z",
    "dateReserved": "2018-01-26T00:00:00.000Z",
    "dateUpdated": "2025-05-06T16:54:17.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.0.0\", \"versionEndExcluding\": \"16.0.1\", \"matchCriteriaId\": \"2F2DBC72-D3BB-4F2E-8C4E-78338879F785\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.1.0\", \"versionEndExcluding\": \"16.1.2\", \"matchCriteriaId\": \"BFDC1FE0-32FA-4087-BAC9-8BE468C2C890\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.2.0\", \"versionEndExcluding\": \"16.2.1\", \"matchCriteriaId\": \"68B83811-5DEF-4C8D-A472-A2AB9B25AAB7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.3.0\", \"versionEndExcluding\": \"16.3.3\", \"matchCriteriaId\": \"13B2835B-E9DB-49B7-9C1D-EFF8EDE1C367\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"16.4.0\", \"versionEndExcluding\": \"16.4.2\", \"matchCriteriaId\": \"AFEFCB3B-A978-457C-A26E-D1A818DE878D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.\"}, {\"lang\": \"es\", \"value\": \"Aplicaciones \\\"react\\\" que renderizaban a HTML mediante la API APIReactDOMServer no escapaban nombres de atributo proporcionados por el usuario a la hora de renderizar. Dicha falta de escape podr\\u00eda provocar una vulnerabilidad de Cross-Site Scripting (XSS). Este problema afectaba a peque\\u00f1as distribuciones: las versiones 16.0.x, 16.1.x, 16.2.x, 16.3.x y 16.4.x. Se solucion\\u00f3 en las versiones 16.0.1, 16.1.2, 16.2.1, 16.3.3 y 16.4.2.\"}]",
      "id": "CVE-2018-6341",
      "lastModified": "2024-11-21T04:10:31.070",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2018-12-31T22:29:00.387",
      "references": "[{\"url\": \"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\", \"source\": \"cve-assign@fb.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://twitter.com/reactjs/status/1024745321987887104\", \"source\": \"cve-assign@fb.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://twitter.com/reactjs/status/1024745321987887104\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve-assign@fb.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cve-assign@fb.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-6341\",\"sourceIdentifier\":\"cve-assign@fb.com\",\"published\":\"2018-12-31T22:29:00.387\",\"lastModified\":\"2025-05-06T17:15:51.207\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.\"},{\"lang\":\"es\",\"value\":\"Aplicaciones \\\"react\\\" que renderizaban a HTML mediante la API APIReactDOMServer no escapaban nombres de atributo proporcionados por el usuario a la hora de renderizar. Dicha falta de escape podr\u00eda provocar una vulnerabilidad de Cross-Site Scripting (XSS). Este problema afectaba a peque\u00f1as distribuciones: las versiones 16.0.x, 16.1.x, 16.2.x, 16.3.x y 16.4.x. Se solucion\u00f3 en las versiones 16.0.1, 16.1.2, 16.2.1, 16.3.3 y 16.4.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"cve-assign@fb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.0.1\",\"matchCriteriaId\":\"2F2DBC72-D3BB-4F2E-8C4E-78338879F785\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.1.0\",\"versionEndExcluding\":\"16.1.2\",\"matchCriteriaId\":\"BFDC1FE0-32FA-4087-BAC9-8BE468C2C890\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.2.0\",\"versionEndExcluding\":\"16.2.1\",\"matchCriteriaId\":\"68B83811-5DEF-4C8D-A472-A2AB9B25AAB7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.3.0\",\"versionEndExcluding\":\"16.3.3\",\"matchCriteriaId\":\"13B2835B-E9DB-49B7-9C1D-EFF8EDE1C367\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.4.0\",\"versionEndExcluding\":\"16.4.2\",\"matchCriteriaId\":\"AFEFCB3B-A978-457C-A26E-D1A818DE878D\"}]}]}],\"references\":[{\"url\":\"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\",\"source\":\"cve-assign@fb.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://twitter.com/reactjs/status/1024745321987887104\",\"source\":\"cve-assign@fb.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://twitter.com/reactjs/status/1024745321987887104\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://twitter.com/reactjs/status/1024745321987887104\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T06:01:48.794Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2018-6341\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-06T16:54:12.196558Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-06T16:53:23.979Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Facebook\", \"product\": \"react-dom\", \"versions\": [{\"status\": \"affected\", \"version\": \"16.4.2\"}, {\"status\": \"affected\", \"version\": \"16.4.0\", \"lessThan\": \"unspecified\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.3.3\"}, {\"status\": \"affected\", \"version\": \"16.3.0\", \"lessThan\": \"unspecified\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.2.1\"}, {\"status\": \"affected\", \"version\": \"16.2.0\", \"lessThan\": \"unspecified\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.1.2\"}, {\"status\": \"affected\", \"version\": \"16.1.0\", \"lessThan\": \"unspecified\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.0.1\"}, {\"status\": \"affected\", \"version\": \"16.0.0\", \"lessThan\": \"unspecified\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"unspecified\", \"lessThan\": \"16.0.0\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2018-12-31T00:00:00.000Z\", \"references\": [{\"url\": \"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://twitter.com/reactjs/status/1024745321987887104\", \"tags\": [\"x_refsource_MISC\"]}], \"dateAssigned\": \"2018-08-01T00:00:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"Improper Neutralization of Input During Web Page Generation (CWE-79)\"}]}], \"providerMetadata\": {\"orgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"shortName\": \"facebook\", \"dateUpdated\": \"2018-12-31T21:57:01.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"16.4.2\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"16.4.0\", \"version_affected\": \"\u003e=\"}, {\"version_value\": \"16.3.3\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"16.3.0\", \"version_affected\": \"\u003e=\"}, {\"version_value\": \"16.2.1\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"16.2.0\", \"version_affected\": \"\u003e=\"}, {\"version_value\": \"16.1.2\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"16.1.0\", \"version_affected\": \"\u003e=\"}, {\"version_value\": \"16.0.1\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"16.0.0\", \"version_affected\": \"\u003e=\"}, {\"version_value\": \"16.0.0\", \"version_affected\": \"!\u003c\"}]}, \"product_name\": \"react-dom\"}]}, \"vendor_name\": \"Facebook\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\", \"name\": \"https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html\", \"refsource\": \"MISC\"}, {\"url\": \"https://twitter.com/reactjs/status/1024745321987887104\", \"name\": \"https://twitter.com/reactjs/status/1024745321987887104\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Improper Neutralization of Input During Web Page Generation (CWE-79)\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2018-6341\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cve-assign@fb.com\", \"DATE_ASSIGNED\": \"2018-08-01\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2018-6341\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-06T16:54:17.932Z\", \"dateReserved\": \"2018-01-26T00:00:00.000Z\", \"assignerOrgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"datePublished\": \"2018-12-31T22:00:00.000Z\", \"assignerShortName\": \"facebook\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2025-AVI-0279

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Db2	Db2 versions antérieures à 5.1.2 pour Cloud Pak for Data
IBM	WebSphere	WebSphere Application Server Liberty sans le correctif APAR PH65394
IBM	Db2 Warehouse	Db2 Warehouse versions antérieures à 5.1.2 pour Cloud Pak for Data
IBM	WebSphere	WebSphere Hybrid Edition sans le dernier correctif de sécurité
IBM	QRadar Analyst Workflow	QRadar Analyst Workflow versions antérieures à 3.0.0

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7230024	2025-04-03	vendor-advisory
Bulletin de sécurité IBM 7229770	2025-04-01	vendor-advisory
Bulletin de sécurité IBM 7229443	2025-03-28	vendor-advisory
Bulletin de sécurité IBM 7229768	2025-04-01	vendor-advisory
Bulletin de sécurité IBM 7229772	2025-04-01	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Db2 versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Application Server Liberty sans le correctif APAR PH65394",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 Warehouse versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
      "product": {
        "name": "Db2 Warehouse",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Hybrid Edition sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Analyst Workflow versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "QRadar Analyst Workflow",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2023-45857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
    },
    {
      "name": "CVE-2023-45142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
    },
    {
      "name": "CVE-2022-48890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48890"
    },
    {
      "name": "CVE-2024-35176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35176"
    },
    {
      "name": "CVE-2024-37071",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37071"
    },
    {
      "name": "CVE-2025-25285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25285"
    },
    {
      "name": "CVE-2024-6232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6232"
    },
    {
      "name": "CVE-2024-34997",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34997"
    },
    {
      "name": "CVE-2024-51479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-51479"
    },
    {
      "name": "CVE-2024-43398",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43398"
    },
    {
      "name": "CVE-2024-35946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35946"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2024-41761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41761"
    },
    {
      "name": "CVE-2022-29153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29153"
    },
    {
      "name": "CVE-2023-52605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52605"
    },
    {
      "name": "CVE-2021-23337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
    },
    {
      "name": "CVE-2018-6341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-6341"
    },
    {
      "name": "CVE-2023-52455",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52455"
    },
    {
      "name": "CVE-2024-45338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
    },
    {
      "name": "CVE-2025-27152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27152"
    },
    {
      "name": "CVE-2024-26740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26740"
    },
    {
      "name": "CVE-2024-47764",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47764"
    },
    {
      "name": "CVE-2025-25288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25288"
    },
    {
      "name": "CVE-2024-35790",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35790"
    },
    {
      "name": "CVE-2022-48921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48921"
    },
    {
      "name": "CVE-2024-45296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
    },
    {
      "name": "CVE-2025-25290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25290"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2024-39908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39908"
    },
    {
      "name": "CVE-2021-47495",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-47495"
    },
    {
      "name": "CVE-2024-41946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41946"
    },
    {
      "name": "CVE-2023-52832",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52832"
    },
    {
      "name": "CVE-2024-41110",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
    },
    {
      "name": "CVE-2024-27281",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27281"
    },
    {
      "name": "CVE-2024-52798",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52798"
    },
    {
      "name": "CVE-2023-43804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
    },
    {
      "name": "CVE-2024-6484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6484"
    },
    {
      "name": "CVE-2020-13844",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13844"
    },
    {
      "name": "CVE-2024-26776",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26776"
    },
    {
      "name": "CVE-2024-6485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
    },
    {
      "name": "CVE-2024-41762",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41762"
    },
    {
      "name": "CVE-2024-39494",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39494"
    },
    {
      "name": "CVE-2025-23184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23184"
    },
    {
      "name": "CVE-2024-6119",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6119"
    },
    {
      "name": "CVE-2021-4204",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4204"
    },
    {
      "name": "CVE-2024-26843",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26843"
    },
    {
      "name": "CVE-2024-40679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40679"
    },
    {
      "name": "CVE-2023-52885",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52885"
    },
    {
      "name": "CVE-2018-20225",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-20225"
    },
    {
      "name": "CVE-2019-11253",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
    },
    {
      "name": "CVE-2023-52898",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52898"
    },
    {
      "name": "CVE-2025-25289",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25289"
    },
    {
      "name": "CVE-2024-45663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45663"
    },
    {
      "name": "CVE-2023-52467",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52467"
    },
    {
      "name": "CVE-2024-41123",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41123"
    },
    {
      "name": "CVE-2024-36620",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-36620"
    },
    {
      "name": "CVE-2022-48706",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48706"
    },
    {
      "name": "CVE-2024-49761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-49761"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0279",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-04-04T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2025-04-03",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7230024",
      "url": "https://www.ibm.com/support/pages/node/7230024"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229770",
      "url": "https://www.ibm.com/support/pages/node/7229770"
    },
    {
      "published_at": "2025-03-28",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229443",
      "url": "https://www.ibm.com/support/pages/node/7229443"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229768",
      "url": "https://www.ibm.com/support/pages/node/7229768"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229772",
      "url": "https://www.ibm.com/support/pages/node/7229772"
    }
  ]
}

CERTFR-2025-AVI-0279

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Db2	Db2 versions antérieures à 5.1.2 pour Cloud Pak for Data
IBM	WebSphere	WebSphere Application Server Liberty sans le correctif APAR PH65394
IBM	Db2 Warehouse	Db2 Warehouse versions antérieures à 5.1.2 pour Cloud Pak for Data
IBM	WebSphere	WebSphere Hybrid Edition sans le dernier correctif de sécurité
IBM	QRadar Analyst Workflow	QRadar Analyst Workflow versions antérieures à 3.0.0

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7230024	2025-04-03	vendor-advisory
Bulletin de sécurité IBM 7229770	2025-04-01	vendor-advisory
Bulletin de sécurité IBM 7229443	2025-03-28	vendor-advisory
Bulletin de sécurité IBM 7229768	2025-04-01	vendor-advisory
Bulletin de sécurité IBM 7229772	2025-04-01	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Db2 versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Application Server Liberty sans le correctif APAR PH65394",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 Warehouse versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
      "product": {
        "name": "Db2 Warehouse",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Hybrid Edition sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Analyst Workflow versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "QRadar Analyst Workflow",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2023-45857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
    },
    {
      "name": "CVE-2023-45142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
    },
    {
      "name": "CVE-2022-48890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48890"
    },
    {
      "name": "CVE-2024-35176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35176"
    },
    {
      "name": "CVE-2024-37071",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37071"
    },
    {
      "name": "CVE-2025-25285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25285"
    },
    {
      "name": "CVE-2024-6232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6232"
    },
    {
      "name": "CVE-2024-34997",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34997"
    },
    {
      "name": "CVE-2024-51479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-51479"
    },
    {
      "name": "CVE-2024-43398",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43398"
    },
    {
      "name": "CVE-2024-35946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35946"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2024-41761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41761"
    },
    {
      "name": "CVE-2022-29153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29153"
    },
    {
      "name": "CVE-2023-52605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52605"
    },
    {
      "name": "CVE-2021-23337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
    },
    {
      "name": "CVE-2018-6341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-6341"
    },
    {
      "name": "CVE-2023-52455",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52455"
    },
    {
      "name": "CVE-2024-45338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
    },
    {
      "name": "CVE-2025-27152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27152"
    },
    {
      "name": "CVE-2024-26740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26740"
    },
    {
      "name": "CVE-2024-47764",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47764"
    },
    {
      "name": "CVE-2025-25288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25288"
    },
    {
      "name": "CVE-2024-35790",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35790"
    },
    {
      "name": "CVE-2022-48921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48921"
    },
    {
      "name": "CVE-2024-45296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
    },
    {
      "name": "CVE-2025-25290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25290"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2024-39908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39908"
    },
    {
      "name": "CVE-2021-47495",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-47495"
    },
    {
      "name": "CVE-2024-41946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41946"
    },
    {
      "name": "CVE-2023-52832",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52832"
    },
    {
      "name": "CVE-2024-41110",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
    },
    {
      "name": "CVE-2024-27281",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27281"
    },
    {
      "name": "CVE-2024-52798",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52798"
    },
    {
      "name": "CVE-2023-43804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
    },
    {
      "name": "CVE-2024-6484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6484"
    },
    {
      "name": "CVE-2020-13844",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13844"
    },
    {
      "name": "CVE-2024-26776",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26776"
    },
    {
      "name": "CVE-2024-6485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
    },
    {
      "name": "CVE-2024-41762",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41762"
    },
    {
      "name": "CVE-2024-39494",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39494"
    },
    {
      "name": "CVE-2025-23184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23184"
    },
    {
      "name": "CVE-2024-6119",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6119"
    },
    {
      "name": "CVE-2021-4204",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4204"
    },
    {
      "name": "CVE-2024-26843",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26843"
    },
    {
      "name": "CVE-2024-40679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40679"
    },
    {
      "name": "CVE-2023-52885",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52885"
    },
    {
      "name": "CVE-2018-20225",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-20225"
    },
    {
      "name": "CVE-2019-11253",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
    },
    {
      "name": "CVE-2023-52898",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52898"
    },
    {
      "name": "CVE-2025-25289",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25289"
    },
    {
      "name": "CVE-2024-45663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45663"
    },
    {
      "name": "CVE-2023-52467",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52467"
    },
    {
      "name": "CVE-2024-41123",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41123"
    },
    {
      "name": "CVE-2024-36620",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-36620"
    },
    {
      "name": "CVE-2022-48706",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48706"
    },
    {
      "name": "CVE-2024-49761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-49761"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0279",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-04-04T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2025-04-03",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7230024",
      "url": "https://www.ibm.com/support/pages/node/7230024"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229770",
      "url": "https://www.ibm.com/support/pages/node/7229770"
    },
    {
      "published_at": "2025-03-28",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229443",
      "url": "https://www.ibm.com/support/pages/node/7229443"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229768",
      "url": "https://www.ibm.com/support/pages/node/7229768"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229772",
      "url": "https://www.ibm.com/support/pages/node/7229772"
    }
  ]
}

FKIE_CVE-2018-6341

Vulnerability from fkie_nvd - Published: 2018-12-31 22:29 - Updated: 2025-05-06 17:15

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cve-assign@fb.com	https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html	Vendor Advisory
cve-assign@fb.com	https://twitter.com/reactjs/status/1024745321987887104	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://twitter.com/reactjs/status/1024745321987887104	Vendor Advisory

Impacted products

Vendor	Product	Version
facebook	react	*
facebook	react	*
facebook	react	*
facebook	react	*
facebook	react	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F2DBC72-D3BB-4F2E-8C4E-78338879F785",
              "versionEndExcluding": "16.0.1",
              "versionStartIncluding": "16.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFDC1FE0-32FA-4087-BAC9-8BE468C2C890",
              "versionEndExcluding": "16.1.2",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "68B83811-5DEF-4C8D-A472-A2AB9B25AAB7",
              "versionEndExcluding": "16.2.1",
              "versionStartIncluding": "16.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "13B2835B-E9DB-49B7-9C1D-EFF8EDE1C367",
              "versionEndExcluding": "16.3.3",
              "versionStartIncluding": "16.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFEFCB3B-A978-457C-A26E-D1A818DE878D",
              "versionEndExcluding": "16.4.2",
              "versionStartIncluding": "16.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
    },
    {
      "lang": "es",
      "value": "Aplicaciones \"react\" que renderizaban a HTML mediante la API APIReactDOMServer no escapaban nombres de atributo proporcionados por el usuario a la hora de renderizar. Dicha falta de escape podr\u00eda provocar una vulnerabilidad de Cross-Site Scripting (XSS). Este problema afectaba a peque\u00f1as distribuciones: las versiones 16.0.x, 16.1.x, 16.2.x, 16.3.x y 16.4.x. Se solucion\u00f3 en las versiones 16.0.1, 16.1.2, 16.2.1, 16.3.3 y 16.4.2."
    }
  ],
  "id": "CVE-2018-6341",
  "lastModified": "2025-05-06T17:15:51.207",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2018-12-31T22:29:00.387",
  "references": [
    {
      "source": "cve-assign@fb.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
    },
    {
      "source": "cve-assign@fb.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://twitter.com/reactjs/status/1024745321987887104"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://twitter.com/reactjs/status/1024745321987887104"
    }
  ],
  "sourceIdentifier": "cve-assign@fb.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cve-assign@fb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2018-6341

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-6341

Aliases

CVE-2018-6341

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-6341",
    "description": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.",
    "id": "GSD-2018-6341"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-6341"
      ],
      "details": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.",
      "id": "GSD-2018-6341",
      "modified": "2023-12-13T01:22:35.745689Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve-assign@fb.com",
        "DATE_ASSIGNED": "2018-08-01",
        "ID": "CVE-2018-6341",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "react-dom",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "16.4.2"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "16.4.0"
                        },
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "16.3.3"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "16.3.0"
                        },
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "16.2.1"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "16.2.0"
                        },
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "16.1.2"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "16.1.0"
                        },
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "16.0.1"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_value": "16.0.0"
                        },
                        {
                          "version_affected": "!\u003c",
                          "version_value": "16.0.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Facebook"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
            "refsource": "MISC",
            "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
          },
          {
            "name": "https://twitter.com/reactjs/status/1024745321987887104",
            "refsource": "MISC",
            "url": "https://twitter.com/reactjs/status/1024745321987887104"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "=16.0.0||\u003e=16.1.0 \u003c16.1.2||=16.2.0||\u003e=16.3.0 \u003c16.3.3||\u003e=16.4.0 \u003c16.4.2",
          "affected_versions": "Version 16.0.0, all versions starting from 16.1.0 before 16.1.2, version 16.2.0, all versions starting from 16.3.0 before 16.3.3, all versions starting from 16.4.0 before 16.4.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-01-08",
          "description": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time.",
          "fixed_versions": [
            "16.0.1",
            "16.1.2",
            "16.2.1",
            "16.3.3",
            "16.4.2"
          ],
          "identifier": "CVE-2018-6341",
          "identifiers": [
            "GHSA-mvjj-gqq2-p4hw",
            "CVE-2018-6341"
          ],
          "not_impacted": "All versions before 16.0.0, all versions after 16.0.0 before 16.1.0, all versions starting from 16.1.2 before 16.2.0, all versions after 16.2.0 before 16.3.0, all versions starting from 16.3.3 before 16.4.0, all versions starting from 16.4.2",
          "package_slug": "npm/react-dom",
          "pubdate": "2019-01-04",
          "solution": "Upgrade to versions 16.0.1, 16.1.2, 16.2.1, 16.3.3, 16.4.2 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-6341",
            "https://github.com/advisories/GHSA-mvjj-gqq2-p4hw",
            "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
            "https://snyk.io/vuln/npm:react-dom:20180802",
            "https://www.npmjs.com/advisories/1421",
            "https://twitter.com/reactjs/status/1024745321987887104"
          ],
          "uuid": "8cc250d3-cc0d-48c8-bc67-ecdc5dd0dec5"
        },
        {
          "affected_range": "\u003e=16.0.0 \u003c16.0.1||\u003e=16.1.0 \u003c16.1.2||\u003e=16.2.0 \u003c16.2.1||\u003e=16.3.0 \u003c16.3.3||\u003e=16.4.0 \u003c16.4.2",
          "affected_versions": "All versions starting from 16.0.0 before 16.0.1, all versions starting from 16.1.0 before 16.1.2, all versions starting from 16.2.0 before 16.2.1, all versions starting from 16.3.0 before 16.3.3, all versions starting from 16.4.0 before 16.4.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "React applications which rendered to HTML using the `ReactDOMServer` API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability.",
          "fixed_versions": [
            "16.4.2"
          ],
          "identifier": "CVE-2018-6341",
          "identifiers": [
            "CVE-2018-6341"
          ],
          "not_impacted": "All versions before 16.0.0, all versions starting from 16.0.1 before 16.1.0, all versions starting from 16.1.2 before 16.2.0, all versions starting from 16.2.1 before 16.3.0, all versions starting from 16.3.3 before 16.4.0, all versions starting from 16.4.2",
          "package_slug": "npm/react",
          "pubdate": "2018-12-31",
          "solution": "Upgrade to version 16.4.2 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-6341",
            "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
            "https://twitter.com/reactjs/status/1024745321987887104"
          ],
          "uuid": "4dd14443-4f24-4c3c-91db-b2b26d372ab5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.2.1",
                "versionStartIncluding": "16.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.3.3",
                "versionStartIncluding": "16.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.4.2",
                "versionStartIncluding": "16.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.0.1",
                "versionStartIncluding": "16.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.1.2",
                "versionStartIncluding": "16.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "ID": "CVE-2018-6341"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://twitter.com/reactjs/status/1024745321987887104",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://twitter.com/reactjs/status/1024745321987887104"
            },
            {
              "name": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2019-10-09T23:41Z",
      "publishedDate": "2018-12-31T22:29Z"
    }
  }
}

GHSA-MVJJ-GQQ2-P4HW

Vulnerability from github – Published: 2019-01-04 19:05 – Updated: 2023-09-13 19:45

Summary

Cross-Site Scripting in react-dom

Details

Affected versions of react-dom are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim's browser. To be affected by this vulnerability, the application needs to: - be a server-side React app - be rendered to HTML using ReactDOMServer - include an attribute name from user input in an HTML tag

Recommendation

If you are using react-dom 16.0.x, upgrade to 16.0.1 or later.
If you are using react-dom 16.1.x, upgrade to 16.1.2 or later.
If you are using react-dom 16.2.x, upgrade to 16.2.1 or later.
If you are using react-dom 16.3.x, upgrade to 16.3.3 or later.
If you are using react-dom 16.4.x, upgrade to 16.4.2 or later.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "16.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.1.0"
            },
            {
              "fixed": "16.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.2.0"
            },
            {
              "fixed": "16.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "16.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.3.0"
            },
            {
              "fixed": "16.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.4.0"
            },
            {
              "fixed": "16.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-6341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:47:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of `react-dom` are vulnerable to Cross-Site Scripting (XSS). The package fails to validate attribute names in HTML tags which may lead to Cross-Site Scripting in specific scenarios. This may allow attackers to execute arbitrary JavaScript in the victim\u0027s browser. To be affected by this vulnerability, the application needs to:\n- be a server-side React app\n- be rendered to HTML using `ReactDOMServer`\n- include an attribute name from user input in an HTML tag\n\n\n## Recommendation\n\nIf you are using `react-dom` 16.0.x, upgrade to 16.0.1 or later.  \nIf you are using `react-dom` 16.1.x, upgrade to 16.1.2 or later.  \nIf you are using `react-dom` 16.2.x, upgrade to 16.2.1 or later.  \nIf you are using `react-dom` 16.3.x, upgrade to 16.3.3 or later.  \nIf you are using `react-dom` 16.4.x, upgrade to 16.4.2 or later.",
  "id": "GHSA-mvjj-gqq2-p4hw",
  "modified": "2023-09-13T19:45:25Z",
  "published": "2019-01-04T19:05:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6341"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mvjj-gqq2-p4hw"
    },
    {
      "type": "WEB",
      "url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:react-dom:20180802"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/reactjs/status/1024745321987887104"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-Site Scripting in react-dom"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-6341 (GCVE-0-2018-6341)

CERTFR-2025-AVI-0279

Solutions

CERTFR-2025-AVI-0279

Solutions

FKIE_CVE-2018-6341

GSD-2018-6341

GHSA-MVJJ-GQQ2-P4HW

Recommendation

Tags

Sightings

Nomenclature