Homepage
About Snyk

org.webjars.bower:bootstrap@3.3.5 vulnerabilities

  • latest version

    5.3.3

  • latest non vulnerable version

    5.3.3

  • first published

    10 years ago

  • latest version published

    8 months ago

  • licenses detected

  • package manager

    View on Maven Repository
Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.bower:bootstrap package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting

org.webjars.bower:bootstrap is a popular front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-site Scripting through the data-loading-text attribute in the button component. An attacker can execute arbitrary JavaScript code by injecting malicious scripts into this attribute.

Note:

This vulnerability is under active investigation and it may be updated with further details.

How to fix Cross-site Scripting?

Upgrade org.webjars.bower:bootstrap to version 4.0.0 or higher.

[,4.0.0)
  • M
Cross-site Scripting (XSS)

org.webjars.bower:bootstrap is a popular front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to inadequate sanitization of the href attribute, belonging to an <a> tag, in the carousel component. An attacker can execute arbitrary JavaScript within the victim's browser by injecting malicious code into the data-slide or data-slide-to attributes.

Notes:

  1. Exploiting this vulnerability is also possible when the data_target attribute doesn’t exist or can’t be found, allowing the bypass of the clickHandler functionality.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.bower:bootstrap to version 5.0.0-beta1 or higher.

[,5.0.0-beta1)
  • M
Cross-site Scripting (XSS)

org.webjars.bower:bootstrap is a popular front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in data-template, data-content and data-title properties of tooltip/popover.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.bower:bootstrap to version 3.4.1, 4.3.1 or higher.

[,3.4.1) [4.0.0,4.3.1)
  • M
Cross-site Scripting (XSS)

org.webjars.bower:bootstrap is a popular front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the tooltip data-viewport attribute.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.bower:bootstrap to version 3.4.0 or higher.

[,3.4.0)
  • M
Cross-site Scripting (XSS)

org.webjars.bower:bootstrap is a popular front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the affix configuration target property.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.bower:bootstrap to version 3.4.0 or higher.

[,3.4.0)
  • M
Cross-site Scripting (XSS)

org.webjars.bower:bootstrap is a popular front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the tooltip, collapse and scrollspy plugins.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.bower:bootstrap to version 3.4.0, 4.1.2 or higher.

[,3.4.0) [4.0.0,4.1.2)
  • M
Cross-site Scripting (XSS)

org.webjars.bower:bootstrap is a popular front-end framework for faster and easier web development.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the data-target attribute.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.bower:bootstrap to version 3.4.0, 4.0.0-beta.3 or higher.

[,3.4.0) [4.0.0-beta,4.0.0-beta.3)
Go back to all versions of this package