CVE-2019-10842
https://notcve.org/view.php?id=CVE-2019-10842
Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare. Se ha descubierto una ejecución de código arbitrario (mediante código de puerta trasera) en bootstrap-sass 3.2.0.3, cuando se descarga desde rubygems.org. • http://dgb.github.io/2019/04/05/bootstrap-sass-backdoor.html https://github.com/twbs/bootstrap-sass/issues/1195 https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem https://snyk.io/vuln/SNYK-RUBY-BOOTSTRAPSASS-174093 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-8331 – bootstrap: XSS in the tooltip or popover data-template attribute
https://notcve.org/view.php?id=CVE-2019-8331
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. En Bootstrap, en versiones anteriores a la 3.4.1 y versiones 4.3.x anteriores a la 4.3.1, es posible Cross-Site Scripting (XSS) en los atributos de data-template tooltip o popover. A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired. • https://github.com/Thampakon/CVE-2019-8331 https://github.com/ossf-cve-benchmark/CVE-2019-8331 https://github.com/Snorlyd/https-nj.gov---CVE-2019-8331 http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/13 http://www.securityfocus.com/bid/107375 https://access.redhat.com/errata/RHSA-2019:1456 https://access.re • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20676 – bootstrap: XSS in the tooltip data-viewport attribute
https://notcve.org/view.php?id=CVE-2018-20676
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. En Bootstrap, en versiones anteriores a la 3.4.0, Cross-Site Scripting (XSS) es posible en el atributo "data-viewport". A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials. • https://github.com/ossf-cve-benchmark/CVE-2018-20676 https://access.redhat.com/errata/RHBA-2019:1076 https://access.redhat.com/errata/RHBA-2019:1570 https://access.redhat.com/errata/RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2020:0132 https://access.redhat.com/errata/RHSA-2020:0133 https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 https://github.com/twbs/bootstrap/issues/27044 https://github.com/t • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10735 – bootstrap: XSS in the data-target attribute
https://notcve.org/view.php?id=CVE-2016-10735
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. En las versiones de Bootstrap anteriores a la 3.4.0 y en las 4.x-beta anteriores a la 4.0.0-beta.2, Cross-Site Scripting (XSS) es posible en el atributo "data-target". Se trata de una vulnerabilidad diferente de CVE-2018-14041. • https://github.com/ossf-cve-benchmark/CVE-2016-10735 https://access.redhat.com/errata/RHBA-2019:1076 https://access.redhat.com/errata/RHBA-2019:1570 https://access.redhat.com/errata/RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2020:0132 https://access.redhat.com/errata/RHSA-2020:0133 https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 https://github.com/twbs/bootstrap/issues/20184 https://github.com/t • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20677 – bootstrap: XSS in the affix configuration target property
https://notcve.org/view.php?id=CVE-2018-20677
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. En Bootstrap, en versiones anteriores a la 3.4.0, Cross-Site Scripting (XSS) es posible en la propiedad "affix" en la configuración. A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials. • https://github.com/ossf-cve-benchmark/CVE-2018-20677 https://access.redhat.com/errata/RHBA-2019:1076 https://access.redhat.com/errata/RHBA-2019:1570 https://access.redhat.com/errata/RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2020:0132 https://access.redhat.com/errata/RHSA-2020:0133 https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 https://github.com/twbs/bootstrap/issues/27045 https://github.com/t • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •