Description
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
Update the bootstrap package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.4.1 >= 4.0.0, < 4.3.1** Patched version(s): **3.4.1 4.3.1**
References
- GHSA-9v3m-8fp8-mj99
- cve.mitre.org
- access.redhat.com
- lists.apache.org
- seclists.org
- support.f5.com
- www.oracle.com
- packetstormsecurity.com
- www.tenable.com
- web.archive.org
- blog.getbootstrap.com
- CVE-2019-8331
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components - CVE-2025-1647
- billboard.js allows prototype pollution via the function generate - CVE-2025-49223
- Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
- Tags:
- npm
- bootstrap
Anything's wrong? Let us know Last updated on August 01, 2024