Bootstrap sass vulnerability 

Issue date: 13-12-2021
Affects versions: 14.6

Security Issue ID

SECURITY-257

 

Affected Product Version(s)

14.6.3 and previous releases.


Severity 

medium

 

Description

NPM-3649  suppress

 

In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Unscored:

  • Severity: moderate

References:

 

Vulnerable Software & Versions (NPM):

  • cpe:2.3:a::bootstrap-sass:\>\=3.0.0\<3.4.1:::::::

 

CVE-2016-10735 (OSSINDEX)  

 

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

CVSSv2:

  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I/A:N

References:

 

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a::bootstrap-sass:3.3.7:::::::

 

CVE-2019-8331 (OSSINDEX)  suppress

 

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

CVSSv3:

  • Base Score: MEDIUM (6.1)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

 

Vulnerable Software & Versions (OSSINDEX):

  • cpe:2.3:a::bootstrap-sass:3.3.7:::::::

 

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.