Lucene search

RubySecRUBY:BOOTSTRAP-2024-6531

HistoryJul 10, 2024 - 9:00 p.m.

Bootstrap Cross-Site Scripting (XSS) vulnerability

2024-07-1021:00:00

RubySec

github.com

bootstrap

cross-site scripting

xss

vulnerability

carousel component

data-slide

data-slide-to

href attribute

inadequate sanitization

arbitrary javascript

browser

attack

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

AI Score

6.2

Confidence

High

JSON

A vulnerability has been identified in Bootstrap that exposes users
to Cross-Site Scripting (XSS) attacks. The issue is present in the
carousel component, where the data-slide and data-slide-to attributes
can be exploited through the href attribute of an <a> tag due to
inadequate sanitization. This vulnerability could potentially enable
attackers to execute arbitrary JavaScript within the victim’s browser.

Affected configurations

Vulners

Node

rubybootstrapRange≤4.6.2

VendorProductVersionCPE
rubybootstrap*cpe:2.3:a:ruby:bootstrap:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	bootstrap	*	cpe:2.3:a:ruby:bootstrap::::::::

References

github.com/advisories/GHSA-vc8w-jr9v-vj7f

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

AI Score

6.2

Confidence

High

JSON

Related for RUBY:BOOTSTRAP-2024-6531