Description
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
Update the bootstrap package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.4.1 >= 4.0.0, < 4.3.1** Patched version(s): **3.4.1 4.3.1**
References
- GHSA-9v3m-8fp8-mj99
- cve.mitre.org
- access.redhat.com
- lists.apache.org
- seclists.org
- support.f5.com
- www.oracle.com
- packetstormsecurity.com
- www.tenable.com
- web.archive.org
- blog.getbootstrap.com
- CVE-2019-8331
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap Vulnerable to Cross-Site Scripting - CVE-2019-8331
- Status Board vulnerable to Cross-Site Scripting before v1.1.82 - CVE-2019-15479
- Bootstrap vulnerable to Cross-Site Scripting (XSS) - CVE-2018-14040
- Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components - CVE-2025-1647
You might also like:
- Tags:
- npm
- bootstrap
Anything's wrong? Let us know Last updated on August 01, 2024