In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
{ "ubuntu_priority": "medium" }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "fonts-glyphicons-halflings": "1.009~3.4.1+dfsg-1", "libjs-bootstrap": "3.4.1+dfsg-1" } ] }