RESCINDED

This is not a security issue in Bootstrap. Bootstrap’s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior falls outside the scope of Bootstrap’s security model, and the associated CVE has been rescinded.

CVE-2024-6531

Cross-Site Scripting

Affects

Bootstrap

Versions

>=4.0.0 <=4.6.2

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

‍

A cross-site scripting (XSS) vulnerability (CVE-2024-6531) has been identified within the Bootstrap 4 Carousel component.

‍

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

‍

Details

Module Info

Product: Bootstrap
Affected packages: bootstrap
Affected versions: >=4.0.0 <=4.6.2
GitHub repository: https://github.com/twbs/bootstrap
Published packages: https://www.npmjs.com/package/bootstrap
Package manager: npm
Fixed in: Bootstrap NES v4.6.4

‍

Vulnerability Info

An anchor element (<a>), when used for carousel navigation with a data-slide attribute, can contain an href attribute value that is not subject to proper content sanitization. Improper extraction of the intended target carousel’s #id from the href attribute can lead to use cases where the click event’s preventDefault() is not applied and the href is evaluated and executed. As a result, restrictions are not applied to the data that is evaluated, which can lead to potential XSS vulnerabilities.

‍