CVEs-PoC/2021/CVE-2021-23398.md

### [CVE-2021-23398](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23398)
![](https://img.shields.io/static/v1?label=Product&message=react-bootstrap-table&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Cross-site%20Scripting%20(XSS)&color=brightgreen)

### Description

All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.

### POC

#### Reference
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314286
- https://snyk.io/vuln/SNYK-JS-REACTBOOTSTRAPTABLE-1314285

#### Github
- https://github.com/andystu/react-bootstrap-table-cve