Fluid Attacks Database

Description

Bootstrap Cross-site Scripting vulnerability In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.

See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	twitter-bootstrap3	>=0 <3.4.0+dfsg-1	3.4.0+dfsg-1
rubygems	bootstrap	>=0 <3.4.0	3.4.0
nuget	bootstrap.sass	>=4.0.0-beta <4.0.0-beta.2	4.0.0-beta.2
debian 12	twitter-bootstrap3	>=0 <3.4.0+dfsg-1	3.4.0+dfsg-1
maven	org.webjars:bootstrap	>=2.0.4 <3.4.0 \|\| >=4.0.0-beta <4.0.0-beta.2	3.4.0, 4.0.0-beta.2
rubygems	bootstrap-sass	>=2.0.4 <3.4.0 \|\| >=2.0.4 <3.4.0	3.4.0, 3.4.0
nuget	bootstrap	>=2.0.4 <3.4.0 \|\| >=4.0.0-beta <4.0.0-beta.2 \|\| >=0 <4.0.0-beta.2 \|\| >=2.0.4 <3.4.0 \|\| >=4.0.0-beta <4.0.0-beta.2	3.4.0, 4.0.0-beta.2, 4.0.0-beta.2, 3.4.0, 4.0.0-beta.2
packagist	twbs/bootstrap	>=2.0.4 <3.4.0 \|\| >=4.0.0-beta <4.0.0-beta.2	3.4.0, 4.0.0-beta.2
npm	bootstrap-sass	>=2.0.4 <3.4.0	3.4.0
npm	bootstrap	>=0 <3.4.0 \|\| >=4.0.0-alpha <4.0.0-beta.2	3.4.0

1-10 of 16

Aliases

1. CVE-2016-107352. NVD-2016-107353. OSV-DEBIAN-2016-107354. OSV-2016-107355. GHSA-4p24-vmcr-4gqj6. GCVE-2016-107357. SECURITY-TRACKER-CVE-2016-107358. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2016-10735.yml15. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2016-10735.yml

References