Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12eG1jLTV4MjktaDY0ds4AA9zy
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Permalink: https://github.com/advisories/GHSA-vxmc-5x29-h64vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12eG1jLTV4MjktaDY0ds4AA9zy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 days ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Identifiers: GHSA-vxmc-5x29-h64v, CVE-2024-6485
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-6485
- https://www.herodevs.com/vulnerability-directory/cve-2024-6485
- https://github.com/advisories/GHSA-vxmc-5x29-h64v
Affected Packages
npm:bootstrap
Dependent packages: 17,952Dependent repositories: 874,564
Downloads: 20,113,712 last month
Affected Version Ranges: >= 1.4.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0
All unaffected versions: 0.0.1, 0.0.2, 3.4.1, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3