CVE-2022-1726 – Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in wenzhixin/bootstrap-table
https://notcve.org/view.php?id=CVE-2022-1726
Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in GitHub repository wenzhixin/bootstrap-table prior to 1.20.2. Disclosing session cookies, disclosing secure session data, exfiltrating data to third-parties. Una vulnerabilidad de tipo XSS en Bootstrap Tables con el plugin Table Export cuando exportOptions: htmlContent es true en el repositorio de GitHub wenzhixin/bootstrap-table versiones anteriores a 1.20.2. Divulgación de cookies de sesión, divulgación de datos de sesión seguros, exfiltración de datos a terceros • https://github.com/wenzhixin/bootstrap-table/commit/b4a1e5dd332be652e0bc376fd9256886cf4bbde9 https://huntr.dev/bounties/9b85cc33-0395-4c31-8a42-3a94beb2efea • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-23472 – Cross-site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-23472
This affects versions before 1.19.1 of package bootstrap-table. A type confusion vulnerability can lead to a bypass of input sanitization when the input provided to the escapeHTML function is an array (instead of a string) even if the escape attribute is set. Esto afecta a las versiones anteriores a la 1.19.1 del paquete bootstrap-table. Una vulnerabilidad de confusión de tipos puede llevar a una evasión de la sanitización de la entrada cuando la entrada proporcionada a la función escapeHTML es un array (en lugar de una cadena) incluso si el atributo escape está establecido • https://github.com/wenzhixin/bootstrap-table/blob/develop/src/utils/index.js%23L218 https://security.snyk.io/vuln/SNYK-JS-BOOTSTRAPTABLE-1657597 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1910690 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1910689 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBWENZHIXIN-1910687 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910688 https://snyk.io/vuln/SNYK-JS-BOOTSTRAPTABLE-1657597 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2021-23398 – Cross-site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-23398
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output. Todas las versiones del paquete react-bootstrap-table son vulnerables a ataques de tipo Cross-site Scripting (XSS) por medio del parámetro dataFormat. El problema es desencadenado cuando se devuelve un elemento React no válido, conllevando a el uso del parámetro dangerouslySetInnerHTML, que no sanea la salida • https://github.com/AllenFang/react-bootstrap-table/blob/26d07defab759e4f9bce22d1d568690830b8d9d7/src/TableBody.js%23L114-L118 https://github.com/AllenFang/react-bootstrap-table/issues/2071 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314286 https://snyk.io/vuln/SNYK-JS-REACTBOOTSTRAPTABLE-1314285 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •