GHSA-9v3m-8fp8-mj99

Suggest an improvement
Source
https://github.com/advisories/GHSA-9v3m-8fp8-mj99
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-9v3m-8fp8-mj99/GHSA-9v3m-8fp8-mj99.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9v3m-8fp8-mj99
Aliases
Published
2019-02-22T20:54:47Z
Modified
2024-08-01T21:22:34.488600Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Bootstrap Vulnerable to Cross-Site Scripting
Details

Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

Recommendation

For bootstrap 4.x upgrade to 4.3.1 or later. For bootstrap 3.x upgrade to 3.4.1 or later.

References

Affected packages

RubyGems / bootstrap

Package

Name
bootstrap
Purl
pkg:gem/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.1

Affected versions

4.*

4.0.0.alpha1
4.0.0.alpha2
4.0.0.alpha3
4.0.0.alpha3.1
4.0.0.alpha4
4.0.0.alpha5
4.0.0.alpha6
4.0.0.beta
4.0.0.beta2
4.0.0.beta2.1
4.0.0.beta3
4.0.0
4.1.0
4.1.1
4.1.2
4.1.3
4.2.1
4.3.0

RubyGems / bootstrap-sass

Package

Name
bootstrap-sass
Purl
pkg:gem/bootstrap-sass

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.4.1

Affected versions

3.*

3.0.0.0
3.0.1.0.rc
3.0.1.0
3.0.2.0
3.0.2.1
3.0.3.0
3.1.0.0
3.1.0.1
3.1.0.2
3.1.1.0
3.1.1.1
3.2.0.4
3.3.0.0
3.3.0.1
3.3.1.0
3.3.2.0
3.3.2.1
3.3.3
3.3.4.1
3.3.5
3.3.5.1
3.3.6
3.3.7
3.4.0

NuGet / Bootstrap.Less

Package

Name
Bootstrap.Less
View open source insights on deps.dev
Purl
pkg:nuget/Bootstrap.Less

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.4.1

Affected versions

3.*

3.3.5
3.3.6-jQuery3
3.3.6
3.3.6.1
3.3.7
3.4.0

NuGet / bootstrap

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.3.1

Affected versions

4.*

4.0.0
4.1.0
4.1.1-contentFiles
4.1.1
4.1.2
4.1.3
4.2.1

NuGet / bootstrap

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.4.1

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.2.0
3.3.0
3.3.1
3.3.2
3.3.4
3.3.5
3.3.6-jQuery3
3.3.6
3.3.6.1
3.3.7
3.4.0

NuGet / bootstrap.sass

Package

Name
bootstrap.sass
View open source insights on deps.dev
Purl
pkg:nuget/bootstrap.sass

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.1

Affected versions

3.*

3.4.1

4.*

4.0.0-alpha
4.0.0-alpha2
4.0.0-alpha3
4.0.0-alpha4
4.0.0-alpha5
4.0.0-alpha6
4.0.0-beta
4.0.0-beta2
4.0.0-beta3
4.0.0
4.1.0
4.1.1-contentFiles
4.1.1
4.1.2
4.1.3
4.2.1

npm / bootstrap

Package

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
4.3.1

npm / bootstrap

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.4.1

npm / bootstrap-sass

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.4.1

RubyGems / twitter-bootstrap-rails

Package

Name
twitter-bootstrap-rails
Purl
pkg:gem/twitter-bootstrap-rails

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
5.0.0

Affected versions

0.*

0.0.3
0.0.4
0.0.5

1.*

1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3

2.*

2.0rc0
2.0
2.0.0
2.0.1
2.0.1.0
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8

3.*

3.2.0
3.2.1.rc1
3.2.2

4.*

4.0.0

5.*

5.0.0

Maven / org.webjars:bootstrap

Package

Name
org.webjars:bootstrap
View open source insights on deps.dev
Purl
pkg:maven/org.webjars/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.4.1

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.1-1
3.1.1-2
3.2.0
3.2.0-1
3.2.0-2
3.3.0
3.3.1
3.3.2
3.3.2-1
3.3.2-2
3.3.4
3.3.5
3.3.6
3.3.7
3.3.7-1
3.4.0

Maven / org.webjars:bootstrap

Package

Name
org.webjars:bootstrap
View open source insights on deps.dev
Purl
pkg:maven/org.webjars/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.3.1

Affected versions

4.*

4.0.0
4.0.0-1
4.0.0-2
4.1.0
4.1.1
4.1.2
4.1.3
4.2.1
4.3.0

Packagist / twbs/bootstrap

Package

Name
twbs/bootstrap
Purl
pkg:composer/twbs/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.4.1

Affected versions

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.2.0
v3.3.0
v3.3.1
v3.3.2
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.4.0

Packagist / twbs/bootstrap

Package

Name
twbs/bootstrap
Purl
pkg:composer/twbs/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.3.1

Affected versions

v4.*

v4.0.0
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.2.1
v4.3.0