Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: bootstrap
date: 2018-07-03
url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
cve: 2018-14040
title: XSS vulnerabilities via data-parent, data-target, data-container in bootstrap
description: |
  In Bootstrap before 4.1.2, XSS is possible in collapse data-parent
  attribute (CVE-2018-14040), data-target property of scrollspy
  (CVE-2018-14041), data-container property of tooltip (CVE-2018-14042)
cvss_v2: '4.3'
cvss_v3: '6.1'
patched_versions:
- ">= 4.1.2"
related:
  cve: '["2018-14041", "2018-14042"]'
  url: '["https://github.com/twbs/bootstrap/issues/26423"]'