CVE-2018-14040

Overview

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

‍

A cross-site scripting (XSS) vulnerability (CVE-2018-14040) has been identified within the Bootstrap 2 Collapse component.

‍

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

‍

Details

Module Info

• Product: Bootstrap
• Affected packages: bootstrap
• Affected versions: >=2.3.0 <=2.3.2, >=3.0.0-rc1 <3.4.0, >=4.0.0-alpha <4.1.2
• GitHub repository: https://github.com/twbs/bootstrap
• Published packages: https://npmjs.com/package/bootstrap
• Package manager: npm
• Fixed in: Bootstrap NES v2.3.5

‍

Vulnerability Info

The Medium-severity vulnerability is a result of improper handling of the data-parent attribute, which could allow an attacker to inject malicious JavaScript code.

‍

The data-parent attribute is used to reference the ancestor container for collapsible elements. The affected code directly assigns the raw value of this.options.parent to this.$parent, trusting the input without validation or sanitization, leading to potential XSS attacks.

‍

Steps To Reproduce

• Create an HTML page that is set up to use Bootstrap v2 and create an accordion component.
• Change one of the data-parent attributes to contain the following value: <img src='1' onerror='alert(1)' />
• Click the “data-parent XSS Example” link to fire the XSS.
• Example:

<div class="accordion" id="accordion">
  <div class="accordion-group">
    <div class="accordion-heading">
      <a
        class="accordion-toggle"
        data-toggle="collapse"
        data-parent="#accordion"
        href="#collapseOne"
      >
        Collapsible Group Item #1
      </a>
    </div>
    <div id="collapseOne" class="accordion-body collapse in">
      <div class="accordion-inner">Anim pariatur cliche...</div>
    </div>
  </div>
  <div class="accordion-group">
    <div class="accordion-heading">
      <a
        class="accordion-toggle"
        data-toggle="collapse"
        data-parent="<img src='1' onerror='alert(1)' />"
        href="#collapseTwo"
      >
        'data-parent' XSS Example
      </a>
    </div>
    <div id="collapseTwo" class="accordion-body collapse">
      <div class="accordion-inner">Anim pariatur cliche...</div>
    </div>
  </div>
</div>

‍

Mitigation

The Bootstrap 2 version is End-of-Life and will not receive any updates to address this issue. For more information see here.

‍

Users of the affected components should apply one of the following mitigations:

• Migrate affected applications to a supported version of Bootstrap.
• Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍

Credits

• 1Jesper1 (finder)