Description
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization.
Recommendation
Update the bootstrap package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, <= 4.6.2
- Patched version(s): 5.0.0
References
- GHSA-vc8w-jr9v-vj7f
- www.herodevs.com
- lists.debian.org
- CVE-2024-6531
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes - CVE-2024-6485
- Command Injection in lodash (GHSA-35jh-r3h4-6jhm) - CVE-2021-23337
- Regular Expression Denial of Service in papaparse - CVE-2020-36649
- Regular Expression Denial of Service in jsoneditor - CVE-2021-3822
- Tags:
- npm
- bootstrap
Anything's wrong? Let us know Last updated on April 14, 2025