Description
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
Update the bootstrap-sass package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.0.0, < 3.4.1
- Patched version(s): 3.4.1
References
- GHSA-9v3m-8fp8-mj99
- cve.mitre.org
- access.redhat.com
- lists.apache.org
- seclists.org
- support.f5.com
- www.oracle.com
- packetstormsecurity.com
- www.tenable.com
- web.archive.org
- blog.getbootstrap.com
- CVE-2019-8331
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap Vulnerable to Cross-Site Scripting (GHSA-9v3m-8fp8-mj99) - CVE-2019-8331
- Bootstrap vulnerable to Cross-Site Scripting (XSS) - CVE-2018-14040
- bootstrap Cross-site Scripting vulnerability (GHSA-ph58-4vrj-w6hr) - CVE-2018-20677
- Materialize-css vulnerable to Cross-site Scripting in autocomplete component - CVE-2019-11003
- Tags:
- npm
- bootstrap-sass
Anything's wrong? Let us know Last updated on August 01, 2024