Bootstrap Cross-site Scripting vulnerability

GHSA-4p24-vmcr-4gqj · CVE-2016-10735

Published Jan 17, 2019 · Modified Feb 4, 2026

Description

In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.

See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.

References

6.1 / 10

MEDIUM CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Packages

Maven/org.webjars:bootstrap

Fix 3.4.0, 4.0.0-beta.2

Introduced 2.0.4, 4.0.0-beta

33 affected versions

2.1.12.2.12.2.22.2.2-12.3.02.3.12.3.1-12.3.23.0.03.0.0-rc.23.0.0-rc13.0.13.0.23.0.33.1.03.1.13.1.1-13.1.1-23.2.03.2.0-1 +13 more

NuGet/bootstrap

Fix 3.4.0, 4.0.0-beta.2

Introduced 2.0.4, 4.0.0-beta

19 affected versions

2.3.12.3.23.0.03.0.13.0.23.0.33.1.03.1.13.2.03.3.03.3.13.3.23.3.43.3.53.3.63.3.6-jQuery33.3.6.13.3.74.0.0-beta

NuGet/bootstrap.sass

Fix 4.0.0-beta.2

Introduced 4.0.0-beta

1 affected version

4.0.0-beta

Packagist/twbs/bootstrap

Fix 3.4.0, 4.0.0-beta.2

Introduced 2.0.4, 4.0.0-beta

21 affected versions

v2.2.2v2.3.0v2.3.1v2.3.2v3.0.0v3.0.0-rc.2v3.0.0-rc1v3.0.1v3.0.2v3.0.3v3.1.0v3.1.1v3.2.0v3.3.0v3.3.1v3.3.2v3.3.4v3.3.5v3.3.6v3.3.7 +1 more

RubyGems/bootstrap

Fix 4.0.0-beta.2

Introduced 0

11 affected versions

4.0.0.alpha14.0.0.alpha24.0.0.alpha34.0.0.alpha3.14.0.0.alpha44.0.0.alpha54.0.0.alpha64.0.0.beta4.0.0.beta24.0.0.beta2.14.0.0.beta3

RubyGems/bootstrap-sass

Fix 3.4.0

Introduced 2.0.4

42 affected versions

2.0.4.02.0.4.12.0.4.22.1.0.02.1.0.12.1.1.02.2.1.02.2.1.12.2.2.02.3.0.02.3.0.12.3.1.02.3.1.22.3.1.32.3.2.02.3.2.12.3.2.23.0.0.03.0.0.0.rc3.0.0.0.rc2 +22 more

npm/bootstrap

Fix 3.4.0, 4.0.0-beta.2

Introduced 2.0.4, 4.0.0-beta

npm/bootstrap-sass

Fix 3.4.0

Introduced 2.0.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes