FLAT-ZDGTW – Vulnerability | Fluid Attacks Database

Database

Description

Bootstrap Vulnerable to Cross-Site Scripting Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

Recommendation

For bootstrap 4.x upgrade to 4.3.1 or later. For bootstrap 3.x upgrade to 3.4.1 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	twitter-bootstrap3	>=0 <3.4.1+dfsg-1	3.4.1+dfsg-1
debian 14	twitter-bootstrap3	>=0 <3.4.1+dfsg-1	3.4.1+dfsg-1
rubygems	twitter-bootstrap-rails	>=0 <5.3.0	5.3.0
npm	bootstrap-sass	>=3.0.0 <3.4.1 \|\| >=3.0.0 <3.4.1	3.4.1, 3.4.1
nuget	bootstrap.sass	>=0 <4.3.1	4.3.1
nuget	bootstrap.less	>=3.0.0 <3.4.1	3.4.1
packagist	twbs/bootstrap	>=3.0.0 <3.4.1 \|\| >=4.0.0 <4.3.1	3.4.1, 4.3.1
npm	bootstrap	>=0 <3.4.1 \|\| >=4.0.0 <4.3.1	4.3.1, 4.3.1, 3.4.1, 4.3.1, 3.4.1
maven	org.webjars:bootstrap	>=3.0.0 <3.4.1 \|\| >=4.0.0 <4.3.1	3.4.1, 4.3.1
nuget	bootstrap	>=0 <3.4.1 \|\| >=4.3.0 <4.3.1	3.4.1, 4.3.1

1-10 of 21

10

Aliases

1. CVE-2019-83312. NVD-2019-83313. OSV-DEBIAN-2019-83314. OSV-2019-83315. GHSA-9v3m-8fp8-mj996. GCVE-2019-83317. SECURITY-TRACKER-CVE-2019-83318. access.redhat.com9. access.redhat.com10. access.redhat.com11. cve.mitre.org12. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2019-8331.yml13. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/twitter-bootstrap-rails/CVE-2019-8331.yml

References

1. https://github.com/Snorlyd/https-nj.gov---CVE-2019-83312. https://github.com/twbs/bootstrap/pull/282363. https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3E4. https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E5. https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E6. https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E7. https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E8. https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E9. https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E10. https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E11. https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3E12. https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@%3Cissues.hbase.apache.org%3E13. https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E14. https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E15. https://seclists.org/bugtraq/2019/May/1816. https://support.f5.com/csp/article/K2438384517. https://support.f5.com/csp/article/K24383845?utm_source=f5support&amp%3Butm_medium=RSS18. https://support.f5.com/csp/article/K24383845?utm_source=f5support&utm_medium=RSS19. https://web.archive.org/web/20200227083900/http://www.securityfocus.com/bid/10737520. https://www.oracle.com/security-alerts/cpuApr2021.html21. https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-122. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-833123. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2019-8331.yml24. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/twitter-bootstrap-rails/CVE-2019-8331.yml25. https://github.com/seyhunak/twitter-bootstrap-rails/tree/master/app/assets/javascripts/twitter/bootstrap26. https://github.com/twbs/bootstrap/releases/tag/v3.4.127. https://github.com/twbs/bootstrap/releases/tag/v4.3.128. https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E29. https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E30. https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E31. https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E32. https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E33. https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E34. https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E35. https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E36. http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html37. http://seclists.org/fulldisclosure/2019/May/1038. http://seclists.org/fulldisclosure/2019/May/1139. http://seclists.org/fulldisclosure/2019/May/13