CVE-2023-5654
https://notcve.org/view.php?id=CVE-2023-5654
The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser. La extensión React Developer Tools registra un detector de mensajes con window.addEventListener('message', ) en un script de contenido al que se puede acceder desde cualquier página web que esté activa en el navegador. Dentro del oyente hay un código que solicita una URL derivada del mensaje recibido mediante fetch(). • https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231 • CWE-116: Improper Encoding or Escaping of Output CWE-285: Improper Authorization •
CVE-2020-1920
https://notcve.org/view.php?id=CVE-2020-1920
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1. Una vulnerabilidad de Denegación de Servicio de expresión regular (ReDoS) en la función validateBaseUrl puede hacer que la aplicación utilice recursos excesivos, deje de responder o se bloquee. Esto se introdujo en versión 0.59.0 de react-native y se corrigió en versión 0.64.1 • https://github.com/facebook/react-native/commit/ca09ae82715e33c9ac77b3fa55495cf84ba891c7 https://github.com/facebook/react-native/releases/tag/v0.64.1 • CWE-697: Incorrect Comparison CWE-1333: Inefficient Regular Expression Complexity •
CVE-2021-24033
https://notcve.org/view.php?id=CVE-2021-24033
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you. react-dev-utils anterior a versión v11.0.4, expone una función, getProcessForPort, donde un argumento de entrada se concatena en una cadena de comando para ser ejecutado. Esta función se usa generalmente desde react-scripts (en los proyectos de Create React App), donde el uso es seguro. • https://github.com/facebook/create-react-app/pull/10644 https://www.facebook.com/security/advisories/cve-2021-24033 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-6342
https://notcve.org/view.php?id=CVE-2018-6342
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2. react-dev-utils en Windows permite a desarrolladores ejecutar un servidor web local que acepta varios comandos, incluyendo un comando para iniciar un editor. Las entradas a dicho comando no fueron sanadas debidamente, permitiendo a un atacante que puede enviar una petición de red al servidor (o mediante CSRF o bajo petición directa) para ejecutar comandos arbitrarios en el sistema objetivo. Este problema afecta a múltiples gamas: Las versiones 1.x.x anteriores a la 1.0.4, las 2.x.x anteriores a la 2.0.2, las 3.x.x anteriores a la 3.1.2, las 4.x.x anteriores a la 4.2.2 y las 5.x.x anteriores a la 5.0.2. • https://github.com/ossf-cve-benchmark/CVE-2018-6342 https://github.com/facebook/create-react-app/pull/4866 https://github.com/facebook/create-react-app/releases/tag/v1.1.5 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-6341
https://notcve.org/view.php?id=CVE-2018-6341
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2. Aplicaciones "react" que renderizaban a HTML mediante la API APIReactDOMServer no escapaban nombres de atributo proporcionados por el usuario a la hora de renderizar. • https://github.com/ossf-cve-benchmark/CVE-2018-6341 https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html https://twitter.com/reactjs/status/1024745321987887104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •