Bootstrap sass vulnerability 

Issue date: 13-12-2021
Affects versions: 13.4

Security Issue ID

SECURITY-261

 

Affected Product Version(s)

13.4.10 and previous releases.


Severity 

medium

 

Description

 

NPM-1004390

 

In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Unscored:

  • Severity: moderate

References:

 

Vulnerable Software & Versions (NPM):

  • cpe:2.3:a::bootstrap-sass:\>\=3.0.0\<3.4.1:::::::

 

CVE-2016-10735 (OSSINDEX)

 

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

CVSSv2:

  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I/A:N

 

Instructions

Customers using the 13.x major versions are recommended to upgrade to the latest version in that series.