Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6484

[PeterVenhuizen]

As identified by our bundle audit job in the CI:

Name: bootstrap-sass
Version: 3.4.1
CVE: CVE-2024-6484
GHSA: GHSA-9mvj-f7w8-pvh2
Criticality: Medium
URL: https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
Title: Bootstrap Cross-Site Scripting (XSS) vulnerability
Solution: remove or disable this gem until a patch is available!

Text from the GitHub advisories: "A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser."

[doconnor-clintel]

https://www.herodevs.com/vulnerability-directory/cve-2024-6484

How is this a CVE!

You have to put your own hyperlink with malicious javascript on the page:

<a
    href="javascript:alert('XSS href')"
    class="left"
    role="button"
    data-slide="prev"
  >

[PBaciu]

Would sanitizing the href value in the carousel data api be a sufficient fix? If so, I could fork the repo and put a PR up.

[PoroshkinaVV]

@twbs please, pay attention to this problem

[hocine15]

is there any solution for this issue? will this be patched or not?

[pau1phi11ips]

It's this really an issue? If you're building Carousels with unchecked user provided URLs, then that is the problem. I don't think it should be down to TWS to do the sanitisation here.