CVE-2019-8331

MEDIUM6.1EPSS 1.7%

Bootstrap Vulnerable to Cross-Site Scripting

發布日:2019/2/22修改日:2026/6/2

描述

Versions of `bootstrap` prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The `data-template` attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. ## Recommendation For `bootstrap` 4.x upgrade to 4.3.1 or later. For `bootstrap` 3.x upgrade to 3.4.1 or later.

受影響套件(12)

Debian/twitter-bootstrap3from 0, < 3.4.1+dfsg-1
Debian/twitter-bootstrap4from 0, < 4.3.1+dfsg2-1
Maven/org.webjars:bootstrap>= 3.0.0, < 3.4.1
npm/bootstrap>= 4.0.0, < 4.3.1
npm/bootstrap-sass>= 3.0.0, < 3.4.1
NuGet/bootstrap>= 4.0.0, < 4.3.1
NuGet/Bootstrap.Less>= 3.0.0, < 3.4.1
NuGet/bootstrap.sassfrom 0, < 4.3.1
Packagist/twbs/bootstrap>= 3.0.0, < 3.4.1
RubyGems/bootstrapfrom 0, < 4.3.1
RubyGems/bootstrap-sass>= 3.0.0, < 3.4.1
RubyGems/twitter-bootstrap-railsfrom 0, <= 5.0.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

描述

受影響套件(12)

CVSS 分數

參考連結(46)