CVE-2024-6531

Overview

Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.

A cross-site scripting (XSS) vulnerability has been identified within the Bootstrap 4 Carousel component.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user. 

Details

Module Info

• Package manager: npm
• Affected component: carousel
• Affected versions: >=4.0.0 <=4.6.2
• Link to published package: https://www.npmjs.com/package/bootstrap
• Github repo: https://github.com/twbs/bootstrap/

Vulnerability Info

An anchor element (<a>), when used for carousel navigation with a data-slide attribute, can contain an href attribute value that is not subject to proper content sanitization. Improper extraction of the intended target carousel’s #id from the href attribute can lead to use cases where the click event’s preventDefault() is not applied and the href is evaluated and executed. As a result, restrictions are not applied to the data that is evaluated, which can lead to potential XSS vulnerabilities.

Steps to Reproduce

The carousel component code does not properly extract and sanitize the data from the href attribute of anchor elements that are used for navigation when they include the data-slide  attribute but are also missing a valid data-target=”#someCarouselId”. The presence of a valid data-target will override the href and the XSS will not be evaluated. 

See the Proof of Concept in the next section. 

Example Code

<div id="myCarousel" class="carousel"></div>

<a href="javascript:alert('XSS href')" data-slide="prev">

  Previous Slide

</a>

‍

Proof of Concept

CodePen URL

A full proof of concept with code can be viewed here.

Mitigation

Bootstrap 4 has reached End-of-Life.  Users of the affected components should apply one of the following mitigations:

• Migrate to a newer version of Bootstrap
• Apply their own patch
• Leverage a commercial support partner like HeroDevs for post-EOL security support.

Addressing The Issue

Despite Bootstrap version 4 reaching its end-of-life, HeroDevs has stepped up to provide a critical patch to address this vulnerability. This patch ensures that href attributes are properly sanitized, thus blocking the potential for XSS attacks through this vector.

HeroDevs clients paying for Bootstrap Never-Ending Support received the fix for this issue in the latest NES version of Bootstrap 4 (bootstrap@4.6.2-bootstrap-4.6.4). If you haven’t installed the latest version yet or need assistance, please contact our support team for help.

For all other Bootstrap 4 users, please consider a speedy migration away from Bootstrap 4. Alternatively, please reach out to explore how easy it is to receive secure Bootstrap 4 updates from HeroDevs.

Learning And Prevention

To further assist the community, HeroDevs offers detailed guidance on preventing similar vulnerabilities in the future. Key strategies include sanitizing data inputs, particularly those that interact with critical components like dynamic carousel navigation. We also recommend regularly reviewing and updating third-party libraries to catch and address potential security flaws before they can be exploited.

‍Conclusion

CVE-2024-6531 serves as a reminder of the importance of maintaining and securing software, even after it has reached end-of-life. With proactive measures and community support, we can ensure a safer digital environment for all users.

If you are interested in receiving security, compliance, and compatibility support for Bootstrap 4 and supporting libraries, please contact us.

Stay secure and ensure your systems are updated with the latest patches from HeroDevs. Follow our blog for more insights and security updates.

‍