1537291 – bootstrap: Cross-site Scripting (XSS) in data-target attribute

Bug 1537291 - bootstrap: Cross-site Scripting (XSS) in data-target attribute

Summary: bootstrap: Cross-site Scripting (XSS) in data-target attribute

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1537293 1537292 1537294 1539137 1539138 1539139 1539140 1539141
Blocks:	1537296
TreeView+	depends on / blocked

Reported:	2018-01-22 20:42 UTC by Laura Pardo
Modified:	2021-02-17 00:56 UTC (History)
CC List:	45 users (show)
Fixed In Version:	bootstrap 3.4.0, bootstrap 4.0.0-beta.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-08 03:37:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-01-22 20:42:10 UTC

A flaw was found in Bootstrap. Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute.

References:
https://github.com/twbs/bootstrap/issues/20184

Patches:
* V4
https://github.com/twbs/bootstrap/pull/23679
https://github.com/twbs/bootstrap/commit/9612830701211d757ff95ceccbb494fd2e7ee17e

* V3
https://github.com/twbs/bootstrap/pull/23687
https://github.com/twbs/bootstrap/pull/23687/commits/d9be1da55bf0f94a81e8a2c9acf5574fb801306e

Comment 1 Laura Pardo 2018-01-22 20:44:12 UTC

Created python-XStatic-Bootstrap-SCSS tracking bugs for this issue:

Affects: epel-7 [bug 1537293]
Affects: fedora-all [bug 1537292]


Created rubygem-bootstrap-sass tracking bugs for this issue:

Affects: fedora-all [bug 1537294]

Comment 4 Joshua Padman 2018-01-28 10:21:33 UTC

Statement:

This issue affects the versions of bootstrap-sass as shipped with CloudForms version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of bootstrap as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of ruby193-rubygem-bootstrap-sass as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of bootstrap-scss as shipped with Red Hat OpenStack versions 6 - 12. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.

apevec
axilleas
bcourt
bkearney
ccoleman
chrisw
cpelland
dajohnso
dedgar
dmcphers
gblomqui
gmccullo
gtanzill
hhudgeon
jfrey
jgoulding
jhardy
jjoyce
jmatthew
jprause
jschluet
kbasil
lhh
lpeer
markmc
mburns
meissner
mmccune
mrike
mrunge
obarenbo
ohadlevy
rbryant
rchan
rdopiera
rhos-maint
roliveri
sclewis
simaishi
slinaber
srevivo
tdecacqu
thomas
tlestach
tsanders