A flaw was found in Bootstrap from version 4.0 and before 4.1.2. A Cross-site Scripting (XSS) is possible in the data-container property of tooltip.
bootstrap 3.3.7 is affected by this flaw.
@Doran Moppert: According to https://github.com/twbs/bootstrap/issues/26628 they explicit state that 3.3.7 is not affected. Any reason why you think it is?
In reply to comment #5:
> @Doran Moppert: According to https://github.com/twbs/bootstrap/issues/26628
> they explicit state that 3.3.7 is not affected. Any reason why you think it
Sorry, I should have made this clear in a public comment.
The reproducer  linked from the upstream ticket continues to work if you change the bootstrap paths to read 3.3.7 instead of 4.4.1. I saw a test case elsewhere referencing bootstrap 3.3.7 but an invalid jquery url, which failed to work.
Red Hat Satellite 6.2 and newer versions don't use the bootstrap library, hence are not affected by this flaw.
Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.
Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.