Overview
Bootstrap is an HTML, CSS, and JS framework for developing responsive, mobile-first web sites and applications.
A cross-site scripting (XSS) vulnerability (CVE-2024-6531) has been identified within the Bootstrap 4 Carousel component.
Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.
Details
Module Info
- Product: Bootstrap
- Affected packages: bootstrap
- Affected versions: >=4.0.0 <=4.6.2
- GitHub repository: https://github.com/twbs/bootstrap
- Published packages: https://www.npmjs.com/package/bootstrap
- Package manager: npm
- Fixed in: Bootstrap NES v4.6.4
Vulnerability Info
An anchor element (<a>), when used for carousel navigation with a data-slide attribute, can contain an href attribute value that is not subject to proper content sanitization. Improper extraction of the intended target carousel’s #id from the href attribute can lead to use cases where the click event’s preventDefault() is not applied and the href is evaluated and executed. As a result, restrictions are not applied to the data that is evaluated, which can lead to potential XSS vulnerabilities.
Steps To Reproduce
The carousel component code does not properly extract and sanitize the data from the href attribute of anchor elements that are used for navigation when they include the data-slide attribute but are also missing a valid data-target=”#someCarouselId”. The presence of a valid data-target will override the href and the XSS will not be evaluated.
See the Proof of Concept in the next section.
Example Code
<div id="myCarousel" class="carousel"></div>
<a href="javascript:alert('XSS href')" data-slide="prev">
Previous Slide
</a>
Proof Of Concept
CodePen URL
A full proof of concept with code can be viewed here.
Credits
- K (finder)
Mitigation
Bootstrap 4 has reached End-of-Life. Users of the affected components should apply one of the following mitigations:
- Migrate to a newer version of Bootstrap.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Addressing The Issue
Despite Bootstrap version 4 reaching its end-of-life, HeroDevs has stepped up to provide a critical patch to address this vulnerability. This patch ensures that href attributes are properly sanitized, thus blocking the potential for XSS attacks through this vector.
HeroDevs clients paying for Bootstrap Never-Ending Support received the fix for this issue in the latest NES version of Bootstrap 4 (bootstrap@4.6.2-bootstrap-4.6.4). If you haven’t installed the latest version yet or need assistance, please contact our support team for help.
For all other Bootstrap 4 users, please consider a speedy migration away from Bootstrap 4. Alternatively, please reach out to explore how easy it is to receive secure Bootstrap 4 updates from HeroDevs.
Learning And Prevention
To further assist the community, HeroDevs offers detailed guidance on preventing similar vulnerabilities in the future. Key strategies include sanitizing data inputs, particularly those that interact with critical components like dynamic carousel navigation. We also recommend regularly reviewing and updating third-party libraries to catch and address potential security flaws before they can be exploited.
Conclusion
CVE-2024-6531 serves as a reminder of the importance of maintaining and securing software, even after it has reached end-of-life. With proactive measures and community support, we can ensure a safer digital environment for all users.
If you are interested in receiving security, compliance, and compatibility support for Bootstrap 4 and supporting libraries, please contact us.
Stay secure and ensure your systems are updated with the latest patches from HeroDevs. Follow our blog for more insights and security updates.
