By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2016-10735

Cross-Site Scripting
Affects
Bootstrap
>=2.0.0 <=2.3.2, >=3.0.0-rc1 <3.4.0, >=4.0.0-alpha <4.0.0-beta.2
in
Bootstrap
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

A cross-site scripting (XSS) vulnerability (CVE-2016-10735) has been identified within the following Bootstrap 2 components:

  • Tab
  • Alert
  • Collapse
  • Dropdown
  • Modal
  • Carousel

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

Details

Module Info

Vulnerability Info

The Medium-severity vulnerability is a result of improper handling of selectors passed in the data-target and href attributes, which could allow an attacker to inject malicious JavaScript code.

The selector from the data-target or href attribute is used to reference which element to act upon. The affected code directly assigns the selector, trusting the input without validation or sanitization, leading to potential XSS attacks.

Steps To Reproduce

  1. Create an HTML page that is set up to use Bootstrap v2 and create an anchor element as a tooltip.
  2. Change the data-target attribute to contain the following value: <img src='1' onerror='alert(1)' />
  3. Click the ‘X’ to close the alert and observe the XSS fire.

Example:

<p>
  <a
    class="close"
    data-dismiss="alert"
    data-target="<img src=1 onerror=alert(123) />"
    href="#"
  >&times;</a
  >
</p>

Credits

  • Lpilorz (finder)

Mitigation

The Bootstrap 2 version is End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to a supported version of Bootstrap.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-6531
CVE-2024-6484
CVE-2024-6485
CVE-2018-14040
CVE-2018-14042
CVE-2016-10735
CVE-2019-8331
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2016-10735
PROJECT Affected
Bootstrap
Versions Affected
>=2.0.0 <=2.3.2, >=3.0.0-rc1 <3.4.0, >=4.0.0-alpha <4.0.0-beta.2
Published date
February 28, 2025
≈ Fix date
February 28, 2025
Fixed in
Bootstrap NES
Severity
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
Bootstrap NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.