Cross-site Scripting (XSS)

Vulnerability

All versions of the react-bootstrap-table package are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter [1][2][3]. The issue occurs when a dataFormat function returns an invalid React element (e.g., a plain string instead of a React component). This causes the library to use dangerouslySetInnerHTML to render the output, which does not sanitize the input, allowing arbitrary HTML/JavaScript injection [4].

Exploitation

An attacker can exploit this by providing a malicious payload as a value in the data array passed to BootstrapTable. The payload must be crafted to bypass the dataFormat function's expected return type. For example, a string containing an XSS vector like ` can be used. When the table renders, the dataFormat function returns the string, which is then injected via dangerouslySetInnerHTML` without sanitization [2][3]. No authentication or special network position is required; the attacker only needs to supply the malicious data to the table component.

Impact

Successful exploitation leads to stored Cross-site Scripting (XSS) in the context of the user's browser. An attacker can execute arbitrary JavaScript, steal cookies, session tokens, or perform actions on behalf of the victim. The impact is limited to the client-side, but can compromise user data and application integrity.

Mitigation

As of the publication date (June 24, 2021), there is no fixed version for react-bootstrap-table [2][3]. The package appears to be unmaintained. Users should avoid using the dataFormat parameter with untrusted data, or sanitize the output manually before returning from dataFormat. Alternatively, consider migrating to a maintained fork or alternative library. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.