RubySec

Providing security resources for the Ruby community

CVE-2019-8331 (twitter-bootstrap-rails): twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS)

ADVISORIES

GEM

twitter-bootstrap-rails

SEVERITY

CVSS v3.x: 6.1 (Medium)

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

None.

DESCRIPTION

The seyhunak/twitter-bootstrap-rails gem includes a vendored version of the Bootstrap JavaScript library.

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. All versions of this gem are affected.

Workarounds

Until this gem is updated to use Bootstrap v3.4.1, users can replace it with the official Twitter-maintained gems, bootstrap-sass (version 3.4.1) or bootstrap (bootstrap 4 and 5).

RELATED