Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6484

[PeterVenhuizen]

As identified by our bundle audit job in the CI:

Name: bootstrap-sass
Version: 3.4.1
CVE: CVE-2024-6484
GHSA: GHSA-9mvj-f7w8-pvh2
Criticality: Medium
URL: https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
Title: Bootstrap Cross-Site Scripting (XSS) vulnerability
Solution: remove or disable this gem until a patch is available!

Text from the GitHub advisories:
"A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser."

[doconnor-clintel]

https://www.herodevs.com/vulnerability-directory/cve-2024-6484

How is this a CVE!

You have to put your own hyperlink with malicious javascript on the page:

<a
    href="javascript:alert('XSS href')"
    class="left"
    role="button"
    data-slide="prev"
  >

[PBaciu]

Would sanitizing the href value in the carousel data api be a sufficient fix? If so, I could fork the repo and put a PR up.

[PoroshkinaVV]

@twbs please, pay attention to this problem

[hocine15]

is there any solution for this issue? will this be patched or not?

[pau1phi11ips]

It's this really an issue? If you're building Carousels with unchecked user provided URLs, then that is the problem. I don't think it should be down to TWS to do the sanitisation here.

[arosiek]

it brings some problems in our pipeline (security check), are you able to solve the issue?

[arosiek]

It's this really an issue? If you're building Carousels with unchecked user provided URLs, then that is the problem. I don't think it should be down to TWS to do the sanitisation here.

some cms user may do something wrong - it requires additional issues on the website, but why not to protect against here? plus script is more hidden, and as a carousel button is more attractive to click.

[prana-lee]

You can mitigate this by adding a one line event.preventDefault(), just like in Bootstrap 5's carousel.js. Free fix that doesn't require a subscription.

Here's my fix in carousel.js - the method starts at line 542:

  static _dataApiClickHandler(event) {
    const selector = Util.getSelectorFromElement(this)
    event.preventDefault(); // this is the fix
    if (!selector) {
      return

The vulnerability is way overblown. It's way too easy to submit CVE these days to scare people.

[arosiek]

You can mitigate this by adding a one line event.preventDefault(), just like in Bootstrap 5's carousel.js. Free fix that doesn't require a subscription.

Here's my fix in carousel.js - the method starts at line 542:

static _dataApiClickHandler(event) {
const selector = Util.getSelectorFromElement(this)
event.preventDefault(); // this is the fix
if (!selector) {
return
The vulnerability is way overblown. It's way too easy to submit CVE these days to scare people.

Hi! thanks but not vulnerability is the problem here. CVE itself is the problem. can someone solve this?

[zenepay]

Hopefully, the issue is resolved soon.

[git123-99]

https://ubuntu.com/security/notices/USN-7556-1 fix CVE-2024-6484

https://security-tracker.debian.org/tracker/source-package/twitter-bootstrap3 fix CVE-2024-6484