Open mend-for-github-com[bot] opened 10 months ago
Library home page: https://rubygems.org/gems/bootstrap-sass-2.3.2.2.gem
Path to dependency file: /ruby/parameter-binding/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/bootstrap-sass-2.3.2.2.gem
Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Dependency Hierarchy: - :x: **bootstrap-sass-2.3.2.2.gem** (Vulnerable Library)
Found in base branch: master
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser. Publish Date: 2024-07-11 URL: CVE-2024-6484
Publish Date: 2024-07-11
URL: CVE-2024-6484
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6484
Release Date: 2024-07-11
Fix Resolution: org.webjars.npm:bootstrap - 4.0.0-alpha.2;bootstrap.sass - 4.0.0-alpha;twbs/bootstrap - dev-dependabot/npm_and_yarn/rtlcss-3.1.1,dev-dependabot/npm_and_yarn/nodemon-3.1.3,dev-XhmikosR-patch-3,dev-dependabot/npm_and_yarn/rtlcss-3.4.0,dev-dependabot/npm_and_yarn/find-unused-sass-variables-3.1.0,dev-dependabot/npm_and_yarn/linkinator-2.4.0,dev-dependabot/npm_and_yarn/rollup-3.5.0,dev-dependabot/npm_and_yarn/nodemon-3.0.1,dev-dependabot/npm_and_yarn/rollup-3.2.5,dev-dependabot/npm_and_yarn/nodemon-3.0.2,dev-dependabot/npm_and_yarn/nodemon-3.0.3;bootstrap - 4.0.0;bootstrap - 3.3.6-jQuery3,4.0.0-alpha;org.webjars:bootstrap - 4.0.0-alpha
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14042
Release Date: 2018-07-13
Fix Resolution: bootstrap - 3.4.0,4.1.2
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
URL: CVE-2018-14040
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.
Library home page: https://rubygems.org/gems/bootstrap-sass-2.3.2.2.gem
Path to dependency file: /ruby/parameter-binding/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/bootstrap-sass-2.3.2.2.gem
Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-6484
### Vulnerable Library - bootstrap-sass-2.3.2.2.gemLibrary home page: https://rubygems.org/gems/bootstrap-sass-2.3.2.2.gem
Path to dependency file: /ruby/parameter-binding/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/bootstrap-sass-2.3.2.2.gem
Dependency Hierarchy: - :x: **bootstrap-sass-2.3.2.2.gem** (Vulnerable Library)
Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab
Found in base branch: master
### Vulnerability DetailsA vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
### CVSS 3 Score Details (6.4)Publish Date: 2024-07-11
URL: CVE-2024-6484
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6484
Release Date: 2024-07-11
Fix Resolution: org.webjars.npm:bootstrap - 4.0.0-alpha.2;bootstrap.sass - 4.0.0-alpha;twbs/bootstrap - dev-dependabot/npm_and_yarn/rtlcss-3.1.1,dev-dependabot/npm_and_yarn/nodemon-3.1.3,dev-XhmikosR-patch-3,dev-dependabot/npm_and_yarn/rtlcss-3.4.0,dev-dependabot/npm_and_yarn/find-unused-sass-variables-3.1.0,dev-dependabot/npm_and_yarn/linkinator-2.4.0,dev-dependabot/npm_and_yarn/rollup-3.5.0,dev-dependabot/npm_and_yarn/nodemon-3.0.1,dev-dependabot/npm_and_yarn/rollup-3.2.5,dev-dependabot/npm_and_yarn/nodemon-3.0.2,dev-dependabot/npm_and_yarn/nodemon-3.0.3;bootstrap - 4.0.0;bootstrap - 3.3.6-jQuery3,4.0.0-alpha;org.webjars:bootstrap - 4.0.0-alpha
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-8331
### Vulnerable Library - bootstrap-sass-2.3.2.2.gemLibrary home page: https://rubygems.org/gems/bootstrap-sass-2.3.2.2.gem
Path to dependency file: /ruby/parameter-binding/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/bootstrap-sass-2.3.2.2.gem
Dependency Hierarchy: - :x: **bootstrap-sass-2.3.2.2.gem** (Vulnerable Library)
Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-14042
### Vulnerable Library - bootstrap-sass-2.3.2.2.gemLibrary home page: https://rubygems.org/gems/bootstrap-sass-2.3.2.2.gem
Path to dependency file: /ruby/parameter-binding/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/bootstrap-sass-2.3.2.2.gem
Dependency Hierarchy: - :x: **bootstrap-sass-2.3.2.2.gem** (Vulnerable Library)
Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14042
Release Date: 2018-07-13
Fix Resolution: bootstrap - 3.4.0,4.1.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-14040
### Vulnerable Library - bootstrap-sass-2.3.2.2.gemLibrary home page: https://rubygems.org/gems/bootstrap-sass-2.3.2.2.gem
Path to dependency file: /ruby/parameter-binding/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/bootstrap-sass-2.3.2.2.gem
Dependency Hierarchy: - :x: **bootstrap-sass-2.3.2.2.gem** (Vulnerable Library)
Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040
Release Date: 2018-07-13
Fix Resolution: bootstrap - 3.4.0,4.1.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.