Bootstrap sass vulnerability

Issue date: 13-12-2021
Affects versions: 13.4

Security Issue ID

SECURITY-261

Affected Product Version(s)

13.4.10 and previous releases.

Severity

medium

Description

NPM-1004390

In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Unscored:

Severity: moderate

References:

Advisory 1004390: Moderate severity vulnerability that affects bootstrap and bootstrap-sass - - https://nvd.nist.gov/vuln/detail/CVE-2019-8331 - https://github.com/advisories/GHSA-wh77-3x4m-4q9g

Vulnerable Software & Versions (NPM):

cpe:2.3:a::bootstrap-sass:\>\=3.0.0\<3.4.1:::::::

CVE-2016-10735 (OSSINDEX)

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

CVSSv2:

Base Score: MEDIUM (4.3)
Vector: /AV:N/AC:M/Au:N/C:N/I/A:N

Instructions

Customers using the 13.x major versions are recommended to upgrade to the latest version in that series.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Bootstrap sass vulnerability