Description
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
Remediation
References
Related Vulnerabilities
phpMyAdmin Improper Input Validation Vulnerability (CVE-2011-1941)
WordPress Plugin WOOCS-Currency Switcher for WooCommerce Professional Cross-Site Scripting (1.3.7.4)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-2643)
WordPress Plugin GD Star Rating 'wpfn' Parameter Cross-Site Scripting (1.9.8)