ADVISORIES
GEM
SEVERITY
CVSS v3.x: 6.1 (Medium)
CVSS v2.0: 4.3 (Medium)
PATCHED VERSIONS
None.
DESCRIPTION
The seyhunak/twitter-bootstrap-rails gem includes a vendored version of the Bootstrap JavaScript library.
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. All versions of this gem are affected.
Workarounds
Until this gem is updated to use Bootstrap v3.4.1, users can replace it
with the official Twitter-maintained gems, bootstrap-sass
(version 3.4.1)
or bootstrap
(bootstrap 4 and 5).