CVE-2024-6485

Cross-Site Scripting
Affects
Bootstrap
>=1.4.0 <=3.4.1
in
Bootstrap
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

A cross-site scripting (XSS) vulnerability has been identified within the Bootstrap 3 Button component.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user. 

Details

Module Info

Vulnerability Info

Using a data-*-text attribute (i.e. data-complete-text) associated with a button’s state feature is not subject to content sanitization. As a result, restrictions are not applied to the HTML that can be shown inside the button. This can result in the injection of malicious scripts (XSS) that can lead to the exfiltration of sensitive data to remote servers.

Steps to Reproduce

The button component code does not properly sanitize the content that can be placed in attributes that follow the format data-[string]-text and are used in conjunction with the .button() method. A button that binds its data attribute to URL parameters or input fields would allow an attacker to inject malicious code. See the Proof of Concept in the next section.

Example Code

<input 
  id="firstName" 
  type="text" 
  value="<script>alert('XSS Input Success')</script><span>Loading XSS</span>"
/>
<button
  class="btn btn-primary input-test"
  data-loading-text="<span>I'm Loading</span>"
  type="button"
>
  Click Me
</button>

<script>
$(function () {
  $('.input-test').click(function () {
    var inputValue = $('#firstName').val();
    $(this).data('loadingText', inputValue);
    $(this).button('loading', inputValue);
  });
});
</script>

Proof of Concept

CodePen URL

A full proof of concept with code can be viewed here.

Credits

  • K (finder)

Mitigation

Bootstrap 3 has reached End-of-Life.  Users of the affected components should apply one of the following mitigations:

  • Migrate to a newer version of Bootstrap
  • Apply their own patch
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Addressing The Issue

Bootstrap 3 has reached end of life and a migration to a later version of Bootstrap is recommended.

Alternatively, HeroDevs offers a secure Bootstrap 3 drop-in replacement.

Despite Bootstrap version 3 reaching its end-of-life, HeroDevs has stepped up to provide a critical patch to address this vulnerability. This patch ensures that data attributes are properly sanitized, thus blocking the potential for XSS attacks through this vector.

HeroDevs clients paying for Bootstrap Never-Ending Support received the fix for this issue in the latest NES version of Bootstrap 3 (bootstrap@3.4.5). If you haven’t installed the latest version yet or need assistance, please contact our support team for help.

For all other Bootstrap 3 users, please consider a speedy migration away from Bootstrap 3. Alternatively, please reach out to explore how easy it is to receive secure Bootstrap 3 updates from HeroDevs.

Learning And Prevention

To further assist the community, HeroDevs offers detailed guidance on preventing similar vulnerabilities in the future. Key strategies include sanitizing data inputs, particularly those that interact with critical components like dynamic button content. We also recommend regularly reviewing and updating third-party libraries to catch and address potential security flaws before they can be exploited.

Conclusion

CVE-2024-6485 serves as a reminder of the importance of maintaining and securing software, even after it has reached end-of-life. With proactive measures and community support, we can ensure a safer digital environment for all users.

If you are interested in receiving security, compliance, and compatibility support for Bootstrap 3 and supporting libraries, please contact us.

Stay secure and ensure your systems are updated with the latest patches from HeroDevs. Follow our blog for more insights and security updates.

Vulnerability Details
ID
CVE-2024-6485
PROJECT Affected
Bootstrap
Versions Affected
>=1.4.0 <=3.4.1
Published date
July 11, 2024
≈ Fix date
July 11, 2024
Severity
Medium
Category
Cross-Site Scripting