Description
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
Update the bootstrap-sass package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.0.0, < 3.4.1
- Patched version(s): 3.4.1
References
- GHSA-9v3m-8fp8-mj99
- cve.mitre.org
- access.redhat.com
- lists.apache.org
- seclists.org
- support.f5.com
- www.oracle.com
- packetstormsecurity.com
- www.tenable.com
- web.archive.org
- blog.getbootstrap.com
- CVE-2019-8331
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- mpregular vulnerable to prototype pollution - CVE-2025-57323
- DOMPurify allows Cross-site Scripting (XSS) - CVE-2025-26791
- lite-server vulnerable to Denial of Service - CVE-2022-25940
- Manifest Uses a One-Way Hash without a Salt - CVE-2025-27408
- Tags:
- npm
- bootstrap-sass
Anything's wrong? Let us know Last updated on August 01, 2024