Description
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
Update the bootstrap-sass package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.0.0, < 3.4.1
- Patched version(s): 3.4.1
References
- GHSA-9v3m-8fp8-mj99
- cve.mitre.org
- access.redhat.com
- lists.apache.org
- seclists.org
- support.f5.com
- www.oracle.com
- packetstormsecurity.com
- www.tenable.com
- web.archive.org
- blog.getbootstrap.com
- CVE-2019-8331
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap Vulnerable to Cross-Site Scripting (GHSA-9v3m-8fp8-mj99) - CVE-2019-8331
- Bootstrap Cross-site Scripting vulnerability - CVE-2016-10735
- Materialize-css vulnerable to Cross-site Scripting in tooltip component (GHSA-98f7-p5rc-jx67) - CVE-2019-11002
- Bootstrap Cross-site Scripting vulnerability (GHSA-7mvr-5x2g-wfc8) - CVE-2018-14042
- Tags:
- npm
- bootstrap-sass
Anything's wrong? Let us know Last updated on August 01, 2024