Open PeterVenhuizen opened 1 month ago
https://www.herodevs.com/vulnerability-directory/cve-2024-6484
How is this a CVE!
You have to put your own hyperlink with malicious javascript on the page:
<a
href="javascript:alert('XSS href')"
class="left"
role="button"
data-slide="prev"
>
Would sanitizing the href
value in the carousel data api be a sufficient fix? If so, I could fork the repo and put a PR up.
As identified by our bundle audit job in the CI:
Text from the GitHub advisories: "A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser."