Getbootstrap: Security Vulnerabilities
Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare.
CVSS Score
9.8
EPSS Score
0.094
Published
2019-04-04
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
CVSS Score
6.1
EPSS Score
0.017
Published
2019-02-20
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
CVSS Score
6.1
EPSS Score
0.061
Published
2019-01-09
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
CVSS Score
6.1
EPSS Score
0.119
Published
2019-01-09
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CVSS Score
6.1
EPSS Score
0.062
Published
2019-01-09
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
CVSS Score
6.1
EPSS Score
0.017
Published
2018-07-13
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
CVSS Score
6.1
EPSS Score
0.079
Published
2018-07-13
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
CVSS Score
6.1
EPSS Score
0.02
Published
2018-07-13