GHSA-9v3m-8fp8-mj99

Source

https://github.com/advisories/GHSA-9v3m-8fp8-mj99

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-9v3m-8fp8-mj99/GHSA-9v3m-8fp8-mj99.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9v3m-8fp8-mj99

Aliases

CVE-2019-8331

Published

2019-02-22T20:54:47Z

Modified

2024-08-01T21:22:34.488600Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Bootstrap Vulnerable to Cross-Site Scripting

Details

Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

Recommendation

For bootstrap 4.x upgrade to 4.3.1 or later. For bootstrap 3.x upgrade to 3.4.1 or later.

References

Affected packages

RubyGems / bootstrap

Package

Name: bootstrap
Purl: pkg:gem/bootstrap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.1

Affected versions

4.*

4.0.0.alpha1

4.0.0.alpha2

4.0.0.alpha3

4.0.0.alpha3.1

4.0.0.alpha4

4.0.0.alpha5

4.0.0.alpha6

4.0.0.beta

4.0.0.beta2

4.0.0.beta2.1

4.0.0.beta3

4.0.0

4.1.0

4.1.1

4.1.2

4.1.3

4.2.1

4.3.0

RubyGems / bootstrap-sass

Package

Name: bootstrap-sass
Purl: pkg:gem/bootstrap-sass

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.4.1

Affected versions

3.*

3.0.0.0

3.0.1.0.rc

3.0.1.0

3.0.2.0

3.0.2.1

3.0.3.0

3.1.0.0

3.1.0.1

3.1.0.2

3.1.1.0

3.1.1.1

3.2.0.4

3.3.0.0

3.3.0.1

3.3.1.0

3.3.2.0

3.3.2.1

3.3.3

3.3.4.1

3.3.5

3.3.5.1

3.3.6

3.3.7

3.4.0

NuGet / Bootstrap.Less

Package

Name: Bootstrap.Less; View open source insights on deps.dev
Purl: pkg:nuget/Bootstrap.Less

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.4.1

Affected versions

3.*

3.3.5

3.3.6-jQuery3

3.3.6

3.3.6.1

3.3.7

3.4.0

NuGet / bootstrap

Package

Name: bootstrap; View open source insights on deps.dev
Purl: pkg:nuget/bootstrap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.3.1

Affected versions

4.*

4.0.0

4.1.0

4.1.1-contentFiles

4.1.1

4.1.2

4.1.3

4.2.1

NuGet / bootstrap

Package

Name: bootstrap; View open source insights on deps.dev
Purl: pkg:nuget/bootstrap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.4.1

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.2.0

3.3.0

3.3.1

3.3.2

3.3.4

3.3.5

3.3.6-jQuery3

3.3.6

3.3.6.1

3.3.7

3.4.0

NuGet / bootstrap.sass

Package

Name: bootstrap.sass; View open source insights on deps.dev
Purl: pkg:nuget/bootstrap.sass

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.1

Affected versions

3.*

3.4.1

4.*

4.0.0-alpha

4.0.0-alpha2

4.0.0-alpha3

4.0.0-alpha4

4.0.0-alpha5

4.0.0-alpha6

4.0.0-beta

4.0.0-beta2

4.0.0-beta3

4.0.0

4.1.0

4.1.1-contentFiles

4.1.1

4.1.2

4.1.3

4.2.1

npm / bootstrap

Package

Name: bootstrap; View open source insights on deps.dev
Purl: pkg:npm/bootstrap

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.3.1

npm / bootstrap

Package

Name: bootstrap; View open source insights on deps.dev
Purl: pkg:npm/bootstrap

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.4.1

npm / bootstrap-sass

Package

Name: bootstrap-sass; View open source insights on deps.dev
Purl: pkg:npm/bootstrap-sass

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.4.1

RubyGems / twitter-bootstrap-rails

Package

Name: twitter-bootstrap-rails
Purl: pkg:gem/twitter-bootstrap-rails

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.0.0

Affected versions

0.*

0.0.3

0.0.4

0.0.5

1.*

1.3.0

1.3.1

1.4.0

1.4.1

1.4.2

1.4.3

2.*

2.0rc0

2.0

2.0.0

2.0.1

2.0.1.0

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.2.0

2.2.1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

3.*

3.2.0

3.2.1.rc1

3.2.2

4.*

4.0.0

5.*

5.0.0

Maven / org.webjars:bootstrap

Package

Name: org.webjars:bootstrap; View open source insights on deps.dev
Purl: pkg:maven/org.webjars/bootstrap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.4.1

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.1.1-1

3.1.1-2

3.2.0

3.2.0-1

3.2.0-2

3.3.0

3.3.1

3.3.2

3.3.2-1

3.3.2-2

3.3.4

3.3.5

3.3.6

3.3.7

3.3.7-1

3.4.0

Maven / org.webjars:bootstrap

Package

Name: org.webjars:bootstrap; View open source insights on deps.dev
Purl: pkg:maven/org.webjars/bootstrap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.3.1

Affected versions

4.*

4.0.0

4.0.0-1

4.0.0-2

4.1.0

4.1.1

4.1.2

4.1.3

4.2.1

4.3.0

Packagist / twbs/bootstrap

Package

Name: twbs/bootstrap
Purl: pkg:composer/twbs/bootstrap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.4.1

Affected versions

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

v3.2.0

v3.3.0

v3.3.1

v3.3.2

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.4.0

Packagist / twbs/bootstrap

Package

Name: twbs/bootstrap
Purl: pkg:composer/twbs/bootstrap

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.3.1

Affected versions

v4.*

v4.0.0

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.2.0

v4.2.1

v4.3.0