CVE-2016-10735

Description

In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041. See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.

Affected packages (9)

• Debian/twitter-bootstrap3from 0, < 3.4.0+dfsg-1
• Maven/org.webjars:bootstrap>= 2.0.4, < 3.4.0
• npm/bootstrap>= 2.0.4, < 3.4.0
• npm/bootstrap-sass>= 2.0.4, < 3.4.0
• NuGet/bootstrap>= 2.0.4, < 3.4.0
• NuGet/bootstrap.sass>= 4.0.0-beta, < 4.0.0-beta.2
• Packagist/twbs/bootstrap>= 2.0.4, < 3.4.0
• RubyGems/bootstrapfrom 0, < 4.0.0-beta.2
• RubyGems/bootstrap-sass>= 2.0.4, < 3.4.0

CVSS scores

References (19)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10735
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-10735
• PATCHhttps://github.com/twbs/bootstrap
• WEBhttps://access.redhat.com/errata/RHBA-2019:1076
• WEBhttps://access.redhat.com/errata/RHBA-2019:1570
• WEBhttps://access.redhat.com/errata/RHSA-2019:1456
• WEBhttps://access.redhat.com/errata/RHSA-2019:3023
• WEBhttps://access.redhat.com/errata/RHSA-2020:0132
• WEBhttps://access.redhat.com/errata/RHSA-2020:0133
• WEBhttps://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2
• WEBhttps://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0
• WEBhttps://github.com/github/advisory-database/pull/3281
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2016-10735.yml
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2016-10735.yml
• WEBhttps://github.com/twbs/bootstrap/issues/20184
• WEBhttps://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
• WEBhttps://github.com/twbs/bootstrap/pull/23679
• WEBhttps://github.com/twbs/bootstrap/pull/23687
• WEBhttps://github.com/twbs/bootstrap/pull/26460