Skip to content

Bootstrap Cross-Site Scripting (XSS) vulnerability

Moderate severity GitHub Reviewed Published Jul 11, 2024 to the GitHub Advisory Database • Updated Aug 5, 2024

Package

npm bootstrap (npm)

Affected versions

>= 4.0.0, <= 4.6.2

Patched versions

None
bundler bootstrap (RubyGems)
>= 4.0.0, <= 4.6.2
None
nuget bootstrap (NuGet)
>= 4.0.0, <= 4.6.2
None
nuget bootstrap.sass (NuGet)
>= 4.0.0, <= 4.6.2
None
maven org.webjars:bootstrap (Maven)
>= 4.0.0, <= 4.6.2
None
composer twbs/bootstrap (Composer)
>= 4.0.0, <= 4.6.2
None

Description

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

References

Published by the National Vulnerability Database Jul 11, 2024
Published to the GitHub Advisory Database Jul 11, 2024
Reviewed Aug 1, 2024
Last updated Aug 5, 2024

Severity

Moderate
6.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

Weaknesses

CVE ID

CVE-2024-6531

GHSA ID

GHSA-vc8w-jr9v-vj7f

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.