CVE-2024-6485

MEDIUM6.4EPSS 0.14%

Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

發布日:2024/7/11修改日:2026/4/28

描述

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

受影響套件(3)

Debian/twitter-bootstrap3from 0, < 3.4.1+dfsg-2+deb11u1
Debian/twitter-bootstrap3from 0, < 3.4.1+dfsg-2+deb11u1
npm/bootstrap>= 1.4.0, <= 3.4.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-6485
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-6485
PATCHhttps://github.com/twbs/bootstrap
WEBhttps://lists.debian.org/debian-lts-announce/2025/04/msg00020.html
WEBhttps://www.herodevs.com/vulnerability-directory/cve-2024-6485