Description
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization.
Recommendation
Update the bootstrap package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, <= 4.6.2
- Patched version(s): 5.0.0
References
- GHSA-vc8w-jr9v-vj7f
- www.herodevs.com
- lists.debian.org
- CVE-2024-6531
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes - CVE-2024-6485
- VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability - CVE-2024-29271
- ghtml Cross-Site Scripting (XSS) vulnerability - CVE-2024-37166
- vue-i18n has cross-site scripting vulnerability with prototype pollution (GHSA-9r9m-ffp6-9x4v) 4 - CVE-2024-52809
- Tags:
- npm
- bootstrap
Anything's wrong? Let us know Last updated on April 14, 2025