Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6484 #1251

Open
PeterVenhuizen opened this issue Aug 7, 2024 · 8 comments
Open

Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6484 #1251

PeterVenhuizen opened this issue Aug 7, 2024 · 8 comments

Comments

@PeterVenhuizen
Copy link

As identified by our bundle audit job in the CI:

Name: bootstrap-sass
Version: 3.4.1
CVE: CVE-2024-6484
GHSA: GHSA-9mvj-f7w8-pvh2
Criticality: Medium
URL: https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
Title: Bootstrap Cross-Site Scripting (XSS) vulnerability
Solution: remove or disable this gem until a patch is available!

Text from the GitHub advisories:
"A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser."
@doconnor-clintel
Copy link

doconnor-clintel commented Aug 21, 2024
edited
Loading

https://www.herodevs.com/vulnerability-directory/cve-2024-6484

How is this a CVE!

You have to put your own hyperlink with malicious javascript on the page:

<a
    href="javascript:alert('XSS href')"
    class="left"
    role="button"
    data-slide="prev"
  >

@PBaciu
Copy link

PBaciu commented Sep 7, 2024
edited
Loading

Would sanitizing the href value in the carousel data api be a sufficient fix? If so, I could fork the repo and put a PR up.

@PoroshkinaVV
Copy link

@twbs please, pay attention to this problem

@hocine15
Copy link

is there any solution for this issue? will this be patched or not?

@pau1phi11ips
Copy link

It's this really an issue? If you're building Carousels with unchecked user provided URLs, then that is the problem. I don't think it should be down to TWS to do the sanitisation here.

@arosiek
Copy link

arosiek commented Feb 27, 2025

it brings some problems in our pipeline (security check), are you able to solve the issue?

@arosiek
Copy link

arosiek commented Feb 27, 2025

It's this really an issue? If you're building Carousels with unchecked user provided URLs, then that is the problem. I don't think it should be down to TWS to do the sanitisation here.

some cms user may do something wrong - it requires additional issues on the website, but why not to protect against here? plus script is more hidden, and as a carousel button is more attractive to click.

@prana-lee
Copy link

You can mitigate this by adding a one line event.preventDefault(), just like in Bootstrap 5's carousel.js. Free fix that doesn't require a subscription.

Here's my fix in carousel.js - the method starts at line 542:

  static _dataApiClickHandler(event) {
    const selector = Util.getSelectorFromElement(this)
    event.preventDefault(); // this is the fix
    if (!selector) {
      return

The vulnerability is way overblown. It's way too easy to submit CVE these days to scare people.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@pau1phi11ips @arosiek @hocine15 @PeterVenhuizen @PoroshkinaVV @prana-lee @PBaciu @doconnor-clintel