Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl2M20tOGZwOC1tajk5
Bootstrap Vulnerable to Cross-Site Scripting
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
For bootstrap 4.x upgrade to 4.3.1 or later.
For bootstrap 3.x upgrade to 3.4.1 or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl2M20tOGZwOC1tajk5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: 4 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-9v3m-8fp8-mj99, CVE-2019-8331
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-8331
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8331
- https://github.com/twbs/bootstrap/pull/28236
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/errata/RHSA-2019:3023
- https://access.redhat.com/errata/RHSA-2019:3024
- https://github.com/twbs/bootstrap/releases/tag/v3.4.1
- https://github.com/twbs/bootstrap/releases/tag/v4.3.1
- https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://seclists.org/bugtraq/2019/May/18
- https://support.f5.com/csp/article/K24383845
- https://support.f5.com/csp/article/K24383845?utm_source=f5support&utm_medium=RSS
- https://www.oracle.com/security-alerts/cpuApr2021.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- http://seclists.org/fulldisclosure/2019/May/10
- http://seclists.org/fulldisclosure/2019/May/11
- http://seclists.org/fulldisclosure/2019/May/13
- https://www.tenable.com/security/tns-2021-14
- https://web.archive.org/web/20200227083900/http://www.securityfocus.com/bid/107375
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2019-8331.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/twitter-bootstrap-rails/CVE-2019-8331.yml
- https://github.com/seyhunak/twitter-bootstrap-rails/tree/master/app/assets/javascripts/twitter/bootstrap
- https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://support.f5.com/csp/article/K24383845?utm_source=f5support&%3Butm_medium=RSS
- https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1
- https://github.com/advisories/GHSA-9v3m-8fp8-mj99
Blast Radius: 150.3
Affected Packages
packagist:twbs/bootstrap
Dependent packages: 377Dependent repositories: 5,770
Downloads: 14,217,448 total
Affected Version Ranges: >= 4.0.0, < 4.3.1, >= 3.0.0, < 3.4.1
Fixed in: 4.3.1, 3.4.1
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.3.0
All unaffected versions: 2.2.2, 2.3.0, 2.3.1, 2.3.2, 3.4.1, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
maven:org.webjars:bootstrap
Dependent packages: 350Dependent repositories: 39,622
Downloads:
Affected Version Ranges: >= 4.0.0, < 4.3.1, >= 3.0.0, < 3.4.1
Fixed in: 4.3.1, 3.4.1
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.4, 3.3.6, 3.3.7, 3.4.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.3.0
All unaffected versions: 1.3.0, 2.0.2, 2.1.1, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 3.4.1, 4.3.1, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
rubygems:twitter-bootstrap-rails
Dependent packages: 83Dependent repositories: 27,499
Downloads: 9,762,961 total
Affected Version Ranges: <= 5.0.0
No known fixed version
All affected versions: 0.0.3, 0.0.4, 0.0.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 3.2.0, 3.2.2, 4.0.0, 5.0.0
npm:bootstrap-sass
Dependent packages: 1,027Dependent repositories: 89,805
Downloads: 1,013,262 last month
Affected Version Ranges: >= 3.0.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0
All unaffected versions: 2.3.2, 3.4.1, 3.4.2, 3.4.3
npm:bootstrap
Dependent packages: 17,952Dependent repositories: 874,564
Downloads: 20,093,492 last month
Affected Version Ranges: >= 3.0.0, < 3.4.1, >= 4.0.0, < 4.3.1
Fixed in: 3.4.1, 4.3.1
All affected versions: 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.3.0
All unaffected versions: 0.0.1, 0.0.2, 3.4.1, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
nuget:bootstrap.sass
Dependent packages: 2Dependent repositories: 110
Downloads: 1,189,362 total
Affected Version Ranges: < 4.3.1
Fixed in: 4.3.1
All affected versions: 3.4.1, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1
All unaffected versions: 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
nuget:bootstrap
Dependent packages: 513Dependent repositories: 140,376
Downloads: 104,424,041 total
Affected Version Ranges: >= 3.0.0, < 3.4.1, >= 4.0.0, < 4.3.1
Fixed in: 3.4.1, 4.3.1
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1
All unaffected versions: 1.0.0, 2.3.1, 2.3.2, 3.4.1, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
nuget:Bootstrap.Less
Dependent packages: 10Dependent repositories: 543
Downloads: 4,385,107 total
Affected Version Ranges: >= 3.0.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.3.5, 3.3.6, 3.3.7, 3.4.0
All unaffected versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 3.4.1
rubygems:bootstrap-sass
Dependent packages: 417Dependent repositories: 155,544
Downloads: 64,731,811 total
Affected Version Ranges: >= 3.0.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.3.3, 3.3.5, 3.3.6, 3.3.7, 3.4.0
All unaffected versions: 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 3.4.1
rubygems:bootstrap
Dependent packages: 104Dependent repositories: 31,522
Downloads: 19,845,370 total
Affected Version Ranges: < 4.3.1
Fixed in: 4.3.1
All affected versions: 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.3.0
All unaffected versions: 4.3.1, 4.4.1, 4.5.0, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3