Overview
Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.
A cross-site scripting (XSS) vulnerability has been identified within the Bootstrap 3 Button component.
Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.
Details
Module Info
- Package manager: npm
- Affected component: button
- Affected versions: >=1.4.0 <=3.4.1
- Link to published package: https://www.npmjs.com/package/bootstrap
- Github repo: https://github.com/twbs/bootstrap/
Vulnerability Info
Using a data-*-text attribute (i.e. data-complete-text) associated with a button’s state feature is not subject to content sanitization. As a result, restrictions are not applied to the HTML that can be shown inside the button. This can result in the injection of malicious scripts (XSS) that can lead to the exfiltration of sensitive data to remote servers.
Steps to Reproduce
The button component code does not properly sanitize the content that can be placed in attributes that follow the format data-[string]-text and are used in conjunction with the .button() method. A button that binds its data attribute to URL parameters or input fields would allow an attacker to inject malicious code. See the Proof of Concept in the next section.
Example Code
<input
id="firstName"
type="text"
value="<script>alert('XSS Input Success')</script><span>Loading XSS</span>"
/>
<button
class="btn btn-primary input-test"
data-loading-text="<span>I'm Loading</span>"
type="button"
>
Click Me
</button>
<script>
$(function () {
$('.input-test').click(function () {
var inputValue = $('#firstName').val();
$(this).data('loadingText', inputValue);
$(this).button('loading', inputValue);
});
});
</script>
Proof of Concept
A full proof of concept with code can be viewed here.
Credits
- K (finder)
Mitigation
Bootstrap 3 has reached End-of-Life. Users of the affected components should apply one of the following mitigations:
- Migrate to a newer version of Bootstrap
- Apply their own patch
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Addressing The Issue
Bootstrap 3 has reached end of life and a migration to a later version of Bootstrap is recommended.
Alternatively, HeroDevs offers a secure Bootstrap 3 drop-in replacement.
Despite Bootstrap version 3 reaching its end-of-life, HeroDevs has stepped up to provide a critical patch to address this vulnerability. This patch ensures that data attributes are properly sanitized, thus blocking the potential for XSS attacks through this vector.
HeroDevs clients paying for Bootstrap Never-Ending Support received the fix for this issue in the latest NES version of Bootstrap 3 (bootstrap@3.4.5). If you haven’t installed the latest version yet or need assistance, please contact our support team for help.
For all other Bootstrap 3 users, please consider a speedy migration away from Bootstrap 3. Alternatively, please reach out to explore how easy it is to receive secure Bootstrap 3 updates from HeroDevs.
Learning And Prevention
To further assist the community, HeroDevs offers detailed guidance on preventing similar vulnerabilities in the future. Key strategies include sanitizing data inputs, particularly those that interact with critical components like dynamic button content. We also recommend regularly reviewing and updating third-party libraries to catch and address potential security flaws before they can be exploited.
Conclusion
CVE-2024-6485 serves as a reminder of the importance of maintaining and securing software, even after it has reached end-of-life. With proactive measures and community support, we can ensure a safer digital environment for all users.
If you are interested in receiving security, compliance, and compatibility support for Bootstrap 3 and supporting libraries, please contact us.
Stay secure and ensure your systems are updated with the latest patches from HeroDevs. Follow our blog for more insights and security updates.