Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl2M20tOGZwOC1tajk5
Bootstrap Vulnerable to Cross-Site Scripting
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
Recommendation
For bootstrap 4.x upgrade to 4.3.1 or later.
For bootstrap 3.x upgrade to 3.4.1 or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl2M20tOGZwOC1tajk5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 5 years ago
Updated: 5 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-9v3m-8fp8-mj99, CVE-2019-8331
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-8331
- https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8331
- https://github.com/twbs/bootstrap/pull/28236
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/errata/RHSA-2019:3023
- https://access.redhat.com/errata/RHSA-2019:3024
- https://github.com/twbs/bootstrap/releases/tag/v3.4.1
- https://github.com/twbs/bootstrap/releases/tag/v4.3.1
- https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://seclists.org/bugtraq/2019/May/18
- https://support.f5.com/csp/article/K24383845
- https://support.f5.com/csp/article/K24383845?utm_source=f5support&utm_medium=RSS
- https://www.oracle.com/security-alerts/cpuApr2021.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- http://seclists.org/fulldisclosure/2019/May/10
- http://seclists.org/fulldisclosure/2019/May/11
- http://seclists.org/fulldisclosure/2019/May/13
- https://www.tenable.com/security/tns-2021-14
- https://web.archive.org/web/20200227083900/http://www.securityfocus.com/bid/107375
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2019-8331.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/twitter-bootstrap-rails/CVE-2019-8331.yml
- https://github.com/seyhunak/twitter-bootstrap-rails/tree/master/app/assets/javascripts/twitter/bootstrap
- https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://support.f5.com/csp/article/K24383845?utm_source=f5support&%3Butm_medium=RSS
- https://github.com/advisories/GHSA-9v3m-8fp8-mj99
Blast Radius: 99.3
Affected Packages
rubygems:twitter-bootstrap-rails
Dependent packages: 83Dependent repositories: 27,499
Downloads: 9,327,115 total
Affected Version Ranges: <= 5.0.0
No known fixed version
All affected versions: 0.0.3, 0.0.4, 0.0.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 3.2.0, 3.2.2, 4.0.0, 5.0.0
npm:bootstrap-sass
Dependent packages: 1,027Dependent repositories: 89,805
Downloads: 1,592,162 last month
Affected Version Ranges: >= 3.0.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0
All unaffected versions: 2.3.2, 3.4.1, 3.4.2, 3.4.3
npm:bootstrap
Dependent packages: 17,952Dependent repositories: 874,564
Downloads: 23,398,891 last month
Affected Version Ranges: >= 3.0.0, < 3.4.1, >= 4.0.0, < 4.3.1
Fixed in: 3.4.1, 4.3.1
All affected versions: 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.3.0
All unaffected versions: 0.0.1, 0.0.2, 3.4.1, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
nuget:bootstrap.sass
Dependent packages: 2Dependent repositories: 110
Downloads: 1,021,186 total
Affected Version Ranges: < 4.3.1
Fixed in: 4.3.1
All affected versions: 3.4.1, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1
All unaffected versions: 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
nuget:bootstrap
Dependent packages: 511Dependent repositories: 140,376
Downloads: 95,141,041 total
Affected Version Ranges: >= 3.0.0, < 3.4.1, >= 4.0.0, < 4.3.1
Fixed in: 3.4.1, 4.3.1
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1
All unaffected versions: 1.0.0, 2.3.1, 2.3.2, 3.4.1, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3
nuget:Bootstrap.Less
Dependent packages: 8Dependent repositories: 543
Downloads: 4,034,527 total
Affected Version Ranges: >= 3.0.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.3.5, 3.3.6, 3.3.7, 3.4.0
All unaffected versions: 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 3.4.1
rubygems:bootstrap-sass
Dependent packages: 417Dependent repositories: 155,544
Downloads: 60,279,313 total
Affected Version Ranges: >= 3.0.0, < 3.4.1
Fixed in: 3.4.1
All affected versions: 3.3.3, 3.3.5, 3.3.6, 3.3.7, 3.4.0
All unaffected versions: 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 3.4.1
rubygems:bootstrap
Dependent packages: 104Dependent repositories: 31,522
Downloads: 17,405,319 total
Affected Version Ranges: < 4.3.1
Fixed in: 4.3.1
All affected versions: 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 4.3.0
All unaffected versions: 4.3.1, 4.4.1, 4.5.0, 4.5.2, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2