By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2019-8331

Cross-Site Scripting
Affects
Bootstrap
>=2.0.0 <=2.3.2, >=3.0.0-rc1 <3.4.1
in
Bootstrap
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

A cross-site scripting (XSS) vulnerability (CVE-2019-8331) has been identified within the Bootstrap 2 Tooltip and Popover components.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

Details

Module Info

Vulnerability Info

The Medium-severity vulnerability is a result of improper sanitization of HTML content in the data-template and data-title attributes, which could allow an attacker to inject malicious JavaScript code.


The vulnerability exists because the affected code does not properly sanitize HTML content from the attributes before inserting it into the DOM, potentially allowing execution of malicious scripts through template injection, leading to potential XSS attacks.

Steps To Reproduce

  1. Create an HTML page that is set up to use Bootstrap v2 and create an anchor element as a tooltip.
  2. Change the data-template attribute to contain the following value: <img src='1' onerror='alert(1)' />
  3. Instantiate the tooltip with the .tooltip() function.
  4. Hover over the button to fire the XSS.

Example:

<p>
  <a
    href="#"
    class="btn btn-large btn-danger"
    data-toggle="tooltip"
    title="This is title"
    data-content="this is content"
    data-template='<img src=1 onerror=alert(123) /></div></div>'
    >Hover to toggle tooltip</a
  >
</p>

<script>
  $(document).ready(function () {
    $('[data-toggle="tooltip"]').tooltip()
  })
</script>

Credits

  • Yonatan Offek (poiu) (finder)

Mitigation

The Bootstrap 2 version is End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to a supported version of Bootstrap.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-6531
CVE-2024-6484
CVE-2024-6485
CVE-2018-14040
CVE-2018-14042
CVE-2016-10735
CVE-2019-8331
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2019-8331
PROJECT Affected
Bootstrap
Versions Affected
>=2.0.0 <=2.3.2, >=3.0.0-rc1 <3.4.1
Published date
February 28, 2025
≈ Fix date
February 28, 2025
Fixed in
Bootstrap NES
Severity
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
Bootstrap NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.