-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2019-8331.yml
More file actions
35 lines (31 loc) · 1.34 KB
/
Copy pathCVE-2019-8331.yml
File metadata and controls
35 lines (31 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
gem: twitter-bootstrap-rails
cve: 2019-8331
ghsa: 9v3m-8fp8-mj99
url: https://github.com/advisories/GHSA-9v3m-8fp8-mj99
title: twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS)
date: 2019-02-15
description: |
The seyhunak/twitter-bootstrap-rails gem includes a vendored version of
the Bootstrap JavaScript library.
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible
in the tooltip or popover data-template attribute.
The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6.
All versions of Bootstrap before v 3.4.1 are affected by this vulnerability.
All versions of this gem are affected.
# Workarounds
Until this gem is updated to use Bootstrap v3.4.1, users can replace it
with the official Twitter-maintained gems, `bootstrap-sass` (version 3.4.1)
or `bootstrap` (bootstrap 4 and 5).
cvss_v2: 4.3
cvss_v3: 6.1
patched_versions:
- ">= 5.3.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2019-8331
- https://github.com/seyhunak/twitter-bootstrap-rails/releases/tag/v5.3.0
- https://github.com/seyhunak/twitter-bootstrap-rails/commit/ec8d08af20fa3abe9852f51f7e1258fc40b39a44
- https://github.com/twbs/bootstrap-sass/releases/tag/v3.4.1
- https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1
- https://github.com/advisories/GHSA-9v3m-8fp8-mj99