Description
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
Update the bootstrap package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.4.1 >= 4.0.0, < 4.3.1** Patched version(s): **3.4.1 4.3.1**
References
- GHSA-9v3m-8fp8-mj99
- cve.mitre.org
- access.redhat.com
- lists.apache.org
- seclists.org
- support.f5.com
- www.oracle.com
- packetstormsecurity.com
- www.tenable.com
- web.archive.org
- blog.getbootstrap.com
- CVE-2019-8331
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap Vulnerable to Cross-Site Scripting - CVE-2019-8331
- Materialize-css vulnerable to Cross-site Scripting in autocomplete component (GHSA-7752-f4gf-94gc) - CVE-2019-11003
- Materialize-css vulnerable to Cross-site Scripting in tooltip component (GHSA-98f7-p5rc-jx67) - CVE-2019-11002
- Bootstrap Cross-site Scripting vulnerability (GHSA-7mvr-5x2g-wfc8) 2 - CVE-2018-14042
- Tags:
- npm
- bootstrap
Anything's wrong? Let us know Last updated on August 01, 2024