CVE-2024-6485

MEDIUM6.4EPSS 0.14%

Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

Published: 7/11/2024Modified: 4/28/2026

Description

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

Affected packages (3)

Debian/twitter-bootstrap3from 0, < 3.4.1+dfsg-2+deb11u1
Debian/twitter-bootstrap3from 0, < 3.4.1+dfsg-2+deb11u1
npm/bootstrap>= 1.4.0, <= 3.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-6485
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-6485
PATCHhttps://github.com/twbs/bootstrap
WEBhttps://lists.debian.org/debian-lts-announce/2025/04/msg00020.html
WEBhttps://www.herodevs.com/vulnerability-directory/cve-2024-6485