Bootstrap sass vulnerability
Issue date: 13-12-2021Affects versions: 14.6
Security Issue ID
SECURITY-257
Affected Product Version(s)
14.6.3 and previous releases.
Severity
medium
Description
NPM-3649 suppress
In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
Unscored:
- Severity: moderate
References:
- Advisory 3649: Moderate severity vulnerability that affects bootstrap and bootstrap-sass - - https://nvd.nist.gov/vuln/detail/CVE-2019-8331 - https://github.com/advisories/GHSA-wh77-3x4m-4q9g
Vulnerable Software & Versions (NPM):
- cpe:2.3:a::bootstrap-sass:\>\=3.0.0\<3.4.1:::::::
CVE-2016-10735 (OSSINDEX)
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CVSSv2:
- Base Score: MEDIUM (4.3)
- Vector: /AV:N/AC:M/Au:N/C:N/I/A:N
References:
- OSSINDEX - [CVE-2016-10735] In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible ...
Vulnerable Software & Versions (OSSINDEX):
- cpe:2.3:a::bootstrap-sass:3.3.7:::::::
CVE-2019-8331 (OSSINDEX) suppress
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CVSSv3:
- Base Score: MEDIUM (6.1)
- Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- OSSINDEX - [CVE-2019-8331] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
Vulnerable Software & Versions (OSSINDEX):
- cpe:2.3:a::bootstrap-sass:3.3.7:::::::
Instructions
Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.