Description
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
Update the bootstrap package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.4.1 >= 4.0.0, < 4.3.1** Patched version(s): **3.4.1 4.3.1**
References
- GHSA-9v3m-8fp8-mj99
- cve.mitre.org
- access.redhat.com
- lists.apache.org
- seclists.org
- support.f5.com
- www.oracle.com
- packetstormsecurity.com
- www.tenable.com
- web.archive.org
- blog.getbootstrap.com
- CVE-2019-8331
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Bootstrap Cross-site Scripting vulnerability (GHSA-pj7m-g53m-7638) - CVE-2018-14041
- Moment.js vulnerable to Inefficient Regular Expression Complexity - CVE-2022-31129
- Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes - CVE-2024-6485
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- Tags:
- npm
- bootstrap
Anything's wrong? Let us know Last updated on August 01, 2024