Bug 1601617 (CVE-2018-14042) - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip.
Summary: CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container pr...
Keywords:
Status: NEW
Alias: CVE-2018-14042
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180529,repor...
Depends On: 1654025 1654026 1657420 1639099 1654024 1657416 1657417 1657418 1657419
Blocks: 1632066
TreeView+ depends on / blocked
 
Reported: 2018-07-16 22:54 UTC by Laura Pardo
Modified: 2019-06-18 21:35 UTC (History)
65 users (show)

Fixed In Version: bootstrap 4.1.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-07-16 22:54:11 UTC
A flaw was found in Bootstrap from version 4.0 and before 4.1.2. A Cross-site Scripting (XSS) is possible in the data-container property of tooltip.


References:
https://github.com/twbs/bootstrap/issues/26628

Upstream Patch:
https://github.com/twbs/bootstrap/pull/26630

Comment 2 Doran Moppert 2018-10-15 05:20:30 UTC
bootstrap 3.3.7 is affected by this flaw.

Comment 5 dkwakkel 2018-11-22 08:32:59 UTC
@Doran Moppert: According to https://github.com/twbs/bootstrap/issues/26628 they explicit state that 3.3.7 is not affected. Any reason why you think it is?

Comment 7 Doran Moppert 2018-12-07 00:43:30 UTC
In reply to comment #5:
> @Doran Moppert: According to https://github.com/twbs/bootstrap/issues/26628
> they explicit state that 3.3.7 is not affected. Any reason why you think it
> is?

Sorry, I should have made this clear in a public comment.

The reproducer [1] linked from the upstream ticket continues to work if you change the bootstrap paths to read 3.3.7 instead of 4.4.1.  I saw a test case elsewhere referencing bootstrap 3.3.7 but an invalid jquery url, which failed to work.

1: https://jsbin.com/bimipayoda/edit?html,output

Comment 14 Cedric Buissart 🐶 2019-03-15 14:42:14 UTC
Statement:

Red Hat Satellite 6.2 and newer versions don't use the bootstrap library, hence are not affected by this flaw.

Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.

Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.


Note You need to log in before you can comment on or make changes to this bug.