MidnightBSD

Advisories for getbootstrap

CVE-2016-10735 MEDIUM

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
getbootstrap bootstrap *
getbootstrap bootstrap 4.0.0
CVE-2018-14040 MEDIUM

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
getbootstrap bootstrap *
debian debian_linux 8.0
getbootstrap bootstrap 4.0.0
CVE-2018-14041 MEDIUM

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
getbootstrap bootstrap *
getbootstrap bootstrap 4.0.0
CVE-2018-14042 MEDIUM

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
getbootstrap bootstrap *
getbootstrap bootstrap 4.0.0
CVE-2018-20676 MEDIUM

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
getbootstrap bootstrap *
CVE-2018-20677 MEDIUM

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
getbootstrap bootstrap *
CVE-2019-10842 HIGH

Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
getbootstrap bootstrap-sass 3.2.0.3
CVE-2019-8331 MEDIUM

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
f5 big-ip_application_acceleration_manager *
f5 big-ip_analytics *
getbootstrap bootstrap *
f5 big-ip_domain_name_system *
f5 big-ip_fraud_protection_service *
f5 big-ip_policy_enforcement_manager *
tenable tenable.sc *
f5 big-ip_access_policy_manager *
f5 big-ip_advanced_firewall_manager *
redhat virtualization_manager 4.3
f5 big-ip_local_traffic_manager *
f5 big-ip_edge_gateway *
f5 big-ip_link_controller *
f5 big-ip_webaccelerator *
f5 big-ip_application_security_manager *
f5 big-ip_global_traffic_manager *
CVE-2024-6484

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
36c7be3b-2937-45df-85ea-ca7133ea542c 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L 1.6 4.7

Products Affected

Vendor Product Version
getbootstrap bootstrap *
CVE-2024-6531

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
36c7be3b-2937-45df-85ea-ca7133ea542c 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L 1.6 4.7

Products Affected

Vendor Product Version
debian debian_linux 11.0
getbootstrap bootstrap *