One remaining CVE

[joejoseph00]

• https://nvd.nist.gov/vuln/detail/CVE-2024-6484 NVD assessment not yet provided and it makes no sense to us.
• https://nvd.nist.gov/vuln/detail/CVE-2024-6485 (FIXED, see v3-dev-7 or v3.4.2+ release current release is v3.4.4 and includes this CVE fix)

[olstjos]

6484 is questionable (weak?)

I suggest to look at fixing 6485 first:

CVE-2024-6485

[KlemenDEV]

Is a solution where tags would just be stripped ok?

[joejoseph00]

Yes agreed, I think as long as it is a narrow scope of stripping to just the cve scope , should be ok to strip

[joejoseph00]

6485 should be first

[KlemenDEV]

Is 6484 even valid? One can put such link to any anchor with href

[joejoseph00]

Is 6484 even valid? One can put such link to any anchor with href

I agree, 6484 doesn't make any sense to me and it hasn't been fully evaluated by the CVE folks.
both of these CVEs still say:

NVD assessment not yet provided.

The only one of these two CVEs that makes any sense to me would be 6485.

With that said, NVD hasn't assessed yet, would like to see what they say.

[sgdowney]

My previous comment below was based on an incomplete understanding of how the carousel navigation works. You can use either the data-target or href, but not both. When both are present, the data-target is used and the href is ignored. To address this CVE, you have to consider if some kind of validation of the href should be performed.

If I understand this correctly, the bootstrap carousel uses anchor tags for the navigation buttons. Each anchor is expected to have a data-target and data-slide attribute. Any specified href attribute on the anchor is ignored, as the desired href value is generated using the data-target attribute. If the data-target attribute is missing, the bootstrap carousel processing is bypassed and the provided href is used as is instead of being generated by the bootstrap js. This allows a potential bad actor to inject javascript on the carousel navigation anchor.

[joejoseph00]

@KlemenDEV does the explanation by @sgdowney help? There's probably an easy fix here from the sound of it.

[KlemenDEV]

I am still not sure if this is a valid CVE. This would require the attacker to have access to href, which is unusual for the carousel if it is unused. If JS alters href on the go, the same JS could also do what JS in href would do directly.

If the problem is only in cases where JS is placed in href during HTML building, this issue can be fixed by stripping href on DOM load for example, but this does not make much sense to me.

If the problem is if href also changes later, not sure how to prevent that, and also in this case as I said the code that changes href could execute stuff directly without placing itself in href and waiting for the user to click it.

[sgdowney]

This is a tricky one. The carousel navigation will first use the data-target attribute. If not present, it uses the href. Are there specific rules you enforce on the href attribute of a carousel navigation anchor?
Rules such as:

• No JS
• No external domains

[KlemenDEV]

This CVE assumes the generated HTML is not sanitized. At least in Drupal Boostrap theme, data-target is fixed and thus can't really be exploited