bootstrap-sass icon indicating copy to clipboard operation
bootstrap-sass copied to clipboard
verified publisher icon twbs

Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6484

Open PeterVenhuizen opened this issue 1 year ago • 11 comments

As identified by our bundle audit job in the CI:

Name: bootstrap-sass
Version: 3.4.1
CVE: CVE-2024-6484
GHSA: GHSA-9mvj-f7w8-pvh2
Criticality: Medium
URL: https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
Title: Bootstrap Cross-Site Scripting (XSS) vulnerability
Solution: remove or disable this gem until a patch is available!

Text from the GitHub advisories: "A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser."

PeterVenhuizen avatar Aug 07 '24 06:08 PeterVenhuizen

https://www.herodevs.com/vulnerability-directory/cve-2024-6484

How is this a CVE!

You have to put your own hyperlink with malicious javascript on the page:

<a
    href="javascript:alert('XSS href')"
    class="left"
    role="button"
    data-slide="prev"
  >

doconnor-clintel avatar Aug 21 '24 00:08 doconnor-clintel

Would sanitizing the href value in the carousel data api be a sufficient fix? If so, I could fork the repo and put a PR up.

PBaciu avatar Sep 07 '24 22:09 PBaciu

@twbs please, pay attention to this problem

PoroshkinaVV avatar Sep 15 '24 13:09 PoroshkinaVV

is there any solution for this issue? will this be patched or not?

hocine15 avatar Oct 18 '24 07:10 hocine15

It's this really an issue? If you're building Carousels with unchecked user provided URLs, then that is the problem. I don't think it should be down to TWS to do the sanitisation here.

pau1phi11ips avatar Oct 18 '24 07:10 pau1phi11ips

it brings some problems in our pipeline (security check), are you able to solve the issue?

arosiek avatar Feb 27 '25 08:02 arosiek

It's this really an issue? If you're building Carousels with unchecked user provided URLs, then that is the problem. I don't think it should be down to TWS to do the sanitisation here.

some cms user may do something wrong - it requires additional issues on the website, but why not to protect against here? plus script is more hidden, and as a carousel button is more attractive to click.

arosiek avatar Feb 27 '25 08:02 arosiek

You can mitigate this by adding a one line event.preventDefault(), just like in Bootstrap 5's carousel.js. Free fix that doesn't require a subscription.

Here's my fix in carousel.js - the method starts at line 542:

  static _dataApiClickHandler(event) {
    const selector = Util.getSelectorFromElement(this)
    event.preventDefault(); // this is the fix
    if (!selector) {
      return

The vulnerability is way overblown. It's way too easy to submit CVE these days to scare people.

prana-lee avatar Feb 27 '25 17:02 prana-lee

You can mitigate this by adding a one line event.preventDefault(), just like in Bootstrap 5's carousel.js. Free fix that doesn't require a subscription.

Here's my fix in carousel.js - the method starts at line 542:

static _dataApiClickHandler(event) { const selector = Util.getSelectorFromElement(this) event.preventDefault(); // this is the fix if (!selector) { return The vulnerability is way overblown. It's way too easy to submit CVE these days to scare people.

Hi! thanks but not vulnerability is the problem here. CVE itself is the problem. can someone solve this?

arosiek avatar Mar 03 '25 08:03 arosiek

Hopefully, the issue is resolved soon.

zenepay avatar May 26 '25 10:05 zenepay

https://ubuntu.com/security/notices/USN-7556-1 fix CVE-2024-6484

https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3 fix CVE-2024-6484

git123-99 avatar Jun 11 '25 10:06 git123-99