-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2019-8331.yml
28 lines (24 loc) · 988 Bytes
/
CVE-2019-8331.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
---
gem: twitter-bootstrap-rails
cve: 2019-8331
ghsa: 9v3m-8fp8-mj99
url: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
title: twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS)
date: 2019-02-15
description: |
The seyhunak/twitter-bootstrap-rails gem includes a vendored version of
the Bootstrap JavaScript library.
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible
in the tooltip or popover data-template attribute.
The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6.
All versions of Bootstrap before v 3.4.1 are affected by this vulnerability.
All versions of this gem are affected.
# Workarounds
Until this gem is updated to use Bootstrap v3.4.1, users can replace it
with the official Twitter-maintained gems, `bootstrap-sass` (version 3.4.1)
or `bootstrap` (bootstrap 4 and 5).
cvss_v2: 4.3
cvss_v3: 6.1
related:
url:
- https://github.com/twbs/bootstrap-sass/releases/tag/v3.4.1