pi-nexus-autonomous-banking-network icon indicating copy to clipboard operation
pi-nexus-autonomous-banking-network copied to clipboard

Published 20 hours ago verified publisher icon KOSASIH

bootstrap-4.0.0.min.js: 5 vulnerabilities (highest severity is: 6.4)

Open mend-bolt-for-github[bot] opened this issue 1 year ago • 0 comments

Vulnerable Library - bootstrap-4.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js

Path to dependency file: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Path to vulnerable library: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Found in HEAD commit: 3f4e44c5da32bed8968f0821ee76f99874840f22

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (bootstrap version) Remediation Possible**
CVE-2024-6531 Medium 6.4 bootstrap-4.0.0.min.js Direct bootstrap - 5.0.0
CVE-2019-8331 Medium 6.1 bootstrap-4.0.0.min.js Direct bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-14042 Medium 6.1 bootstrap-4.0.0.min.js Direct org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2018-14041 Medium 6.1 bootstrap-4.0.0.min.js Direct org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2
CVE-2018-14040 Low 3.7 bootstrap-4.0.0.min.js Direct bootstrap - 3.4.0,4.1.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-6531

Vulnerable Library - bootstrap-4.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js

Path to dependency file: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Path to vulnerable library: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Dependency Hierarchy:

  • :x: bootstrap-4.0.0.min.js (Vulnerable Library)

Found in HEAD commit: 3f4e44c5da32bed8968f0821ee76f99874840f22

Found in base branch: main

Vulnerability Details

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

Publish Date: 2024-07-11

URL: CVE-2024-6531

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-vc8w-jr9v-vj7f

Release Date: 2024-07-11

Fix Resolution: bootstrap - 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2019-8331

Vulnerable Library - bootstrap-4.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js

Path to dependency file: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Path to vulnerable library: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Dependency Hierarchy:

  • :x: bootstrap-4.0.0.min.js (Vulnerable Library)

Found in HEAD commit: 3f4e44c5da32bed8968f0821ee76f99874840f22

Found in base branch: main

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

Step up your Open Source Security Game with Mend here

CVE-2018-14042

Vulnerable Library - bootstrap-4.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js

Path to dependency file: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Path to vulnerable library: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Dependency Hierarchy:

  • :x: bootstrap-4.0.0.min.js (Vulnerable Library)

Found in HEAD commit: 3f4e44c5da32bed8968f0821ee76f99874840f22

Found in base branch: main

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

Step up your Open Source Security Game with Mend here

CVE-2018-14041

Vulnerable Library - bootstrap-4.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js

Path to dependency file: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Path to vulnerable library: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Dependency Hierarchy:

  • :x: bootstrap-4.0.0.min.js (Vulnerable Library)

Found in HEAD commit: 3f4e44c5da32bed8968f0821ee76f99874840f22

Found in base branch: main

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

Publish Date: 2018-07-13

URL: CVE-2018-14041

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:4.1.2

Step up your Open Source Security Game with Mend here

CVE-2018-14040

Vulnerable Library - bootstrap-4.0.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0/js/bootstrap.min.js

Path to dependency file: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Path to vulnerable library: /blockchain_integration/pi_network/PiFusion/pi_fusion_dashboard/templates/base.html

Dependency Hierarchy:

  • :x: bootstrap-4.0.0.min.js (Vulnerable Library)

Found in HEAD commit: 3f4e44c5da32bed8968f0821ee76f99874840f22

Found in base branch: main

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040

Release Date: 2018-07-13

Fix Resolution: bootstrap - 3.4.0,4.1.2

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Aug 05 '24 01:08 mend-bolt-for-github[bot]