Repostat Reflected Cross-Site Scripting Vulnerability in RepoCard Component

A reflected cross-site scripting vulnerability has been identified in the RepoCard component of the Repostat React package, prior to version 1.0.1. The issue arises because the component utilizes React's dangerouslySetInnerHTML to display the repository name from the repo prop during the loading state, without proper sanitization. This allows attackers to execute arbitrary JavaScript in the context of the user's browser, particularly if unvalidated user input is passed into the repo prop, such as from a URL query parameter.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute arbitrary JavaScript in the user's browser.

Reproduction

To reproduce this vulnerability, use the RepoCard component from the Repostat package and pass a malicious payload into the repo prop. This can be done by including a script tag in the URL query parameter that the application reads and passes to the component. When the component renders, the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the Repostat package to version 1.0.1 or later, where this vulnerability has been fixed by removing the use of dangerouslySetInnerHTML and implementing safe rendering practices.