twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS)

Published: February 15, 2019

SECURITY IDENTIFIERS

CVE: CVE-2019-8331 (NVD)
GHSA: GHSA-9v3m-8fp8-mj99
Vendor Advisory: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

GEM

twitter-bootstrap-rails

SEVERITY

CVSS v3.x: 6.1 (Medium)

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

None available.

DESCRIPTION

The seyhunak/twitter-bootstrap-rails gem includes a vendored version of the Bootstrap JavaScript library.

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. All versions of this gem are affected.

Workarounds

Until this gem is updated to use Bootstrap v3.4.1, users can replace it with the official Twitter-maintained gems, bootstrap-sass (version 3.4.1) or bootstrap (bootstrap 4 and 5).

https://github.com/twbs/bootstrap-sass/releases/tag/v3.4.1

RubySec

CVE-2019-8331 (twitter-bootstrap-rails): twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS)