GHSA-vc8w-jr9v-vj7f

Suggest an improvement
Source
https://github.com/advisories/GHSA-vc8w-jr9v-vj7f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-vc8w-jr9v-vj7f/GHSA-vc8w-jr9v-vj7f.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vc8w-jr9v-vj7f
Aliases
Published
2024-07-11T18:31:14Z
Modified
2024-09-06T19:20:39.088066Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L CVSS Calculator
Summary
Bootstrap Cross-Site Scripting (XSS) vulnerability
Details

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

Database specific
{
    "nvd_published_at": "2024-07-11T18:15:06Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-01T21:29:23Z"
}
References

Affected packages

npm / bootstrap

Package

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0
Fixed
5.0.0

Database specific

{
    "last_known_affected_version_range": "<= 4.6.2"
}

RubyGems / bootstrap

Package

Name
bootstrap
Purl
pkg:gem/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.0.0

Affected versions

4.*

4.0.0
4.1.0
4.1.1
4.1.2
4.1.3
4.2.1
4.3.0
4.3.1
4.4.1
4.5.0
4.5.2
4.5.3
4.6.0
4.6.1
4.6.2
4.6.2.1

5.*

5.0.0.alpha1
5.0.0.alpha2
5.0.0.alpha3
5.0.0.beta1
5.0.0.beta2
5.0.0.beta3

Database specific

{
    "last_known_affected_version_range": "<= 4.6.2"
}

NuGet / bootstrap

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.0.0

Affected versions

4.*

4.0.0
4.1.0
4.1.1-contentFiles
4.1.1
4.1.2
4.1.3
4.2.1
4.3.1
4.4.0
4.4.1-content-files
4.4.1-contentFiles
4.4.1
4.5.0
4.5.1
4.5.2
4.5.3
4.6.0
4.6.1
4.6.2

5.*

5.0.0-alpha1
5.0.0-alpha2
5.0.0-alpha3
5.0.0-beta1
5.0.0-beta2
5.0.0-beta3

Database specific

{
    "last_known_affected_version_range": "<= 4.6.2"
}

NuGet / bootstrap.sass

Package

Name
bootstrap.sass
View open source insights on deps.dev
Purl
pkg:nuget/bootstrap.sass

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.0.0

Affected versions

4.*

4.0.0
4.1.0
4.1.1-contentFiles
4.1.1
4.1.2
4.1.3
4.2.1
4.3.1
4.4.0
4.4.1-content-files
4.4.1-contentFiles
4.4.1
4.5.0
4.5.1
4.5.2
4.5.3
4.6.0
4.6.1
4.6.2

5.*

5.0.0-alpha1
5.0.0-alpha2
5.0.0-alpha3
5.0.0-beta1
5.0.0-beta2
5.0.0-beta3

Database specific

{
    "last_known_affected_version_range": "<= 4.6.2"
}

Packagist / twbs/bootstrap

Package

Name
twbs/bootstrap
Purl
pkg:composer/twbs/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.0.0

Affected versions

v4.*

v4.0.0
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.2.1
v4.3.0
v4.3.1
v4.4.0
v4.4.1
v4.5.0
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.6.2

4.*

4.5.1

v5.*

v5.0.0-alpha1
v5.0.0-alpha2
v5.0.0-alpha3
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3

Database specific

{
    "last_known_affected_version_range": "<= 4.6.2"
}

Maven / org.webjars:bootstrap

Package

Name
org.webjars:bootstrap
View open source insights on deps.dev
Purl
pkg:maven/org.webjars/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.0.0

Affected versions

4.*

4.0.0
4.0.0-1
4.0.0-2
4.1.0
4.1.1
4.1.2
4.1.3
4.2.1
4.3.0
4.3.1
4.4.1
4.4.1-1
4.5.0
4.5.1
4.5.2
4.5.3
4.6.0
4.6.0-1
4.6.1
4.6.2

5.*

5.0.0-beta1
5.0.0-beta2
5.0.0-beta3

Database specific

{
    "last_known_affected_version_range": "<= 4.6.2"
}

Maven / org.webjars.npm:bootstrap

Package

Name
org.webjars.npm:bootstrap
View open source insights on deps.dev
Purl
pkg:maven/org.webjars.npm/bootstrap

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.0.0

Affected versions

4.*

4.0.0
4.1.0
4.1.1
4.1.2
4.1.3
4.2.1
4.3.0
4.3.1
4.4.0
4.4.1
4.5.0
4.5.1
4.5.2
4.5.3
4.6.0
4.6.1
4.6.2

5.*

5.0.0-alpha1
5.0.0-alpha2
5.0.0-alpha3
5.0.0-beta1
5.0.0-beta2
5.0.0-beta3

Database specific

{
    "last_known_affected_version_range": "<= 4.6.2"
}