A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Mend Note: Converted from WS-2018-0021, on 2022-11-08.
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-6485
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsA security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Publish Date: 2024-07-11
URL: CVE-2024-6485
### CVSS 3 Score Details (6.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6485
Release Date: 2024-07-11
Fix Resolution: 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-6484
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsA vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
### CVSS 3 Score Details (6.4)Publish Date: 2024-07-11
URL: CVE-2024-6484
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6484
Release Date: 2024-07-11
Fix Resolution: 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-8331
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-02-20
Fix Resolution: 3.4.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-20677
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: 3.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-20676
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: 3.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-14042
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14042
Release Date: 2018-07-13
Fix Resolution: 3.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-10735
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. Mend Note: Converted from WS-2018-0021, on 2022-11-08.
Publish Date: 2019-01-09
URL: CVE-2016-10735
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: 3.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-14040
### Vulnerable Library - bootstrap-3.3.7.tgzThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/bootstrap/package.json
Dependency Hierarchy: - :x: **bootstrap-3.3.7.tgz** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-07-13
Fix Resolution: 3.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.