6 results (0.018 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser. Se ha identificado una vulnerabilidad en Bootstrap que expone a los usuarios a ataques de Cross-Site Scripting (XSS). El problema está presente en el componente carousel, donde los atributos data-slide y data-slide-to pueden explotarse a través del atributo href de una etiqueta <a rel="nofollow"> debido a una sanitización inadecuada. • https://www.herodevs.com/vulnerability-directory/cve-2024-6531 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 56EXPL: 3

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. En Bootstrap, en versiones anteriores a la 3.4.1 y versiones 4.3.x anteriores a la 4.3.1, es posible Cross-Site Scripting (XSS) en los atributos de data-template tooltip o popover. A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired. • https://github.com/Thampakon/CVE-2019-8331 https://github.com/ossf-cve-benchmark/CVE-2019-8331 https://github.com/Snorlyd/https-nj.gov---CVE-2019-8331 http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/13 http://www.securityfocus.com/bid/107375 https://access.redhat.com/errata/RHSA-2019:1456 https://access.re • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. En las versiones de Bootstrap anteriores a la 3.4.0 y en las 4.x-beta anteriores a la 4.0.0-beta.2, Cross-Site Scripting (XSS) es posible en el atributo "data-target". Se trata de una vulnerabilidad diferente de CVE-2018-14041. • https://github.com/ossf-cve-benchmark/CVE-2016-10735 https://access.redhat.com/errata/RHBA-2019:1076 https://access.redhat.com/errata/RHBA-2019:1570 https://access.redhat.com/errata/RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2020:0132 https://access.redhat.com/errata/RHSA-2020:0133 https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 https://github.com/twbs/bootstrap/issues/20184 https://github.com/t • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 3

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. En Bootstrap en versiones anteriores a la 4.1.2, es posible Cross-Site Scripting (XSS) en la propiedad data-target de scrollspy. A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials. • https://github.com/ossf-cve-benchmark/CVE-2018-14041 https://github.com/Snorlyd/https-nj.gov---CVE-2018-14041 http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/13 https://access.redhat.com/errata/RHSA-2019:1456 https://blog.getbootstrap&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 3

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. En Bootstrap en versiones anteriores a la 4.1.2, es posible Cross-Site Scripting (XSS) en el atributo collapse data-parent. • https://github.com/ossf-cve-benchmark/CVE-2018-14040 https://github.com/Snorlyd/https-nj.gov---CVE-2018-14040 http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html http://seclists.org/fulldisclosure/2019/May/10 http://seclists.org/fulldisclosure/2019/May/11 http://seclists.org/fulldisclosure/2019/May/13 https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2 https:// • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •