Bug 1668082 (CVE-2018-20676)
Summary: | CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abergmann, abokovoy, aileenc, alazarot, amasferr, amctagga, anstephe, aoconnor, apevec, aturgema, bbuckingham, bcourt, bdettelb, bkearney, bniver, chazlett, cheimes, dajohnso, dbecker, dblechte, dfediuck, dmetzger, dmoppert, drieden, eedri, eglynn, ehelms, etirelli, flucifre, frenaud, gblomqui, gmalinko, gmccullo, gmeno, gtanzill, ibek, idm-ds-dev-bugs, janstey, jfrey, jhardy, jjoyce, jkozol, jpavlik, jprause, jschluet, jsherril, jwendell, kbasil, kdixon, krathod, kverlaen, lhh, lpeer, lpetrovi, lzap, mbenjamin, mburns, meissner, mgarciac, mgoldboi, mhackett, mhulan, michal.skrivanek, mkosek, mkudlej, mperina, mpitt, muagarwa, myarboro, nmoumoul, obarenbo, ocs-bugs, omachace, omajid, orabin, paradhya, pcreech, pdelbell, pdrozd, pjindal, rcernich, rchan, rcritten, rhcs-maint, rhos-maint, rhos-maint, roliveri, rrajasek, rsynek, rzhang, sbonazzo, sclewis, sdaley, sgratch, sherold, simaishi, slinaber, sostapov, spower, sthorger, tjochec, tlestach, tscherf, twalsh, twoerner, vereddy, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | bootstrap 3.4.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-12 13:06:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1668086, 2183408, 1668083, 1668084, 1668085, 1673145, 1673146, 1673147, 1673148, 1673149, 1673209, 1740983, 1811969, 1811970, 2183409, 2183410, 2183411 | ||
Bug Blocks: | 1668094 |
Description
Laura Pardo
2019-01-21 21:28:11 UTC
Created python-XStatic-Bootstrap-SCSS tracking bugs for this issue: Affects: epel-7 [bug 1668083] Affects: fedora-all [bug 1668084] Affects: openstack-rdo [bug 1668086] Created rubygem-bootstrap-sass tracking bugs for this issue: Affects: fedora-all [bug 1668085] This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.2 zip Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20676 This vulnerability was addressed Red Hat Virtualization 4.3 package ovirt-engine-api-explorer via https://access.redhat.com/errata/RHBA-2019:1570 Statement: Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all. Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3. This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Via RHSA-2019:3023 https://access.redhat.com/errata/RHSA-2019:3023 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:0132 https://access.redhat.com/errata/RHSA-2020:0132 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:0133 https://access.redhat.com/errata/RHSA-2020:0133 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3936 https://access.redhat.com/errata/RHSA-2020:3936 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4670 https://access.redhat.com/errata/RHSA-2020:4670 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:5571 https://access.redhat.com/errata/RHSA-2020:5571 This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:5693 https://access.redhat.com/errata/RHSA-2023:5693 |