By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2018-14040

Cross-Site Scripting

Affects

Bootstrap

>=2.3.0 <=2.3.2, >=3.0.0-rc1 <3.4.0, >=4.0.0-alpha <4.1.2

Bootstrap

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

‍

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

‍

A cross-site scripting (XSS) vulnerability (CVE-2018-14040) has been identified within the Bootstrap 2 Collapse component.

‍

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

Details

Module Info

Product: Bootstrap
Affected packages: bootstrap
Affected versions: >=2.3.0 <=2.3.2, >=3.0.0-rc1 <3.4.0, >=4.0.0-alpha <4.1.2
GitHub repository: https://github.com/twbs/bootstrap
Published packages: https://npmjs.com/package/bootstrap
Package manager: npm
Fixed in: Bootstrap NES v2.3.5

‍

Vulnerability Info

The Medium-severity vulnerability is a result of improper handling of the data-parent attribute, which could allow an attacker to inject malicious JavaScript code.

‍

The data-parent attribute is used to reference the ancestor container for collapsible elements. The affected code directly assigns the raw value of this.options.parent to this.$parent, trusting the input without validation or sanitization, leading to potential XSS attacks.

‍

Steps To Reproduce

Create an HTML page that is set up to use Bootstrap v2 and create an accordion component.
Change one of the data-parent attributes to contain the following value: <img src='1' onerror='alert(1)' />
Click the “data-parent XSS Example” link to fire the XSS.
Example:

<div class="accordion" id="accordion">
  <div class="accordion-group">
    <div class="accordion-heading">
      <a
        class="accordion-toggle"
        data-toggle="collapse"
        data-parent="#accordion"
        href="#collapseOne"
      >
        Collapsible Group Item #1
      </a>
    </div>
    <div id="collapseOne" class="accordion-body collapse in">
      <div class="accordion-inner">Anim pariatur cliche...</div>
    </div>
  </div>
  <div class="accordion-group">
    <div class="accordion-heading">
      <a
        class="accordion-toggle"
        data-toggle="collapse"
        data-parent="<img src='1' onerror='alert(1)' />"
        href="#collapseTwo"
      >
        'data-parent' XSS Example
      </a>
    </div>
    <div id="collapseTwo" class="accordion-body collapse">
      <div class="accordion-inner">Anim pariatur cliche...</div>
    </div>
  </div>
</div>