CVE-2016-10735: XSS
First published: Mon Jun 27 2016(Updated: )
Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible-runner | <0:1.3.4-2.el8a | 0:1.3.4-2.el8a |
| redhat/ansible-tower | <0:3.5.2-1.el8a | 0:3.5.2-1.el8a |
| redhat/cfme | <0:5.11.0.28-1.el8cf | 0:5.11.0.28-1.el8cf |
| redhat/cfme-amazon-smartstate | <0:5.11.0.28-1.el8cf | 0:5.11.0.28-1.el8cf |
| redhat/cfme-appliance | <0:5.11.0.28-1.el8cf | 0:5.11.0.28-1.el8cf |
| redhat/cfme-gemset | <0:5.11.0.28-1.el8cf | 0:5.11.0.28-1.el8cf |
| redhat/ovirt-ansible-cluster-upgrade | <0:1.1.13-1.el8e | 0:1.1.13-1.el8e |
| redhat/ovirt-ansible-disaster-recovery | <0:1.2.0-1.el8e | 0:1.2.0-1.el8e |
| redhat/ovirt-ansible-engine-setup | <0:1.1.9-1.el8e | 0:1.1.9-1.el8e |
| redhat/ovirt-ansible-hosted-engine-setup | <0:1.0.26-1.el8e | 0:1.0.26-1.el8e |
| redhat/ovirt-ansible-image-template | <0:1.1.11-1.el8e | 0:1.1.11-1.el8e |
| redhat/ovirt-ansible-infra | <0:1.1.12-1.el8e | 0:1.1.12-1.el8e |
| redhat/ovirt-ansible-manageiq | <0:1.1.14-1.el8e | 0:1.1.14-1.el8e |
| redhat/ovirt-ansible-repositories | <0:1.1.5-1.el8e | 0:1.1.5-1.el8e |
| redhat/ovirt-ansible-roles | <0:1.1.7-2.el8e | 0:1.1.7-2.el8e |
| redhat/ovirt-ansible-shutdown-env | <0:1.0.3-1.el8e | 0:1.0.3-1.el8e |
| redhat/ovirt-ansible-vm-infra | <0:1.1.19-1.el8e | 0:1.1.19-1.el8e |
| redhat/prince | <0:12.4-1.el8cf | 0:12.4-1.el8cf |
| redhat/python3-ovirt-engine-sdk4 | <0:4.3.2-1.el8e | 0:4.3.2-1.el8e |
| redhat/python-bambou | <0:3.0.1-2.el8cf | 0:3.0.1-2.el8cf |
| redhat/python-colorama | <0:0.4.1-1.el8 | 0:0.4.1-1.el8 |
| redhat/python-daemon | <0:2.1.2-9.el8a | 0:2.1.2-9.el8a |
| redhat/python-funcsigs | <0:1.0.2-3.el8 | 0:1.0.2-3.el8 |
| redhat/python-future | <0:0.16.0-1.el8cf | 0:0.16.0-1.el8cf |
| redhat/python-lockfile | <1:0.11.0-8.el8a | 1:0.11.0-8.el8a |
| redhat/python-mock | <0:2.0.0-11.el8 | 0:2.0.0-11.el8 |
| redhat/python-pbr | <0:5.1.2-2.el8 | 0:5.1.2-2.el8 |
| redhat/python-pexpect | <0:4.6-2.el8a | 0:4.6-2.el8a |
| redhat/python-psutil | <0:5.4.3-5.el8a | 0:5.4.3-5.el8a |
| redhat/python-pylxca | <0:2.1.1-2.el8cf | 0:2.1.1-2.el8cf |
| redhat/python-requests-toolbelt | <0:0.8.0-2.el8cf | 0:0.8.0-2.el8cf |
| redhat/python-tabulate | <0:0.8.2-1.el8cf | 0:0.8.2-1.el8cf |
| redhat/python-vspk | <0:5.3.2-2.el8cf | 0:5.3.2-2.el8cf |
| redhat/qpid-proton | <0:0.28.0-1.el8 | 0:0.28.0-1.el8 |
| redhat/repmgr10 | <0:4.0.6-3.el8cf | 0:4.0.6-3.el8cf |
| redhat/rubygem-bcrypt | <0:3.1.13-1.el8cf | 0:3.1.13-1.el8cf |
| redhat/rubygem-byebug | <0:11.0.1-1.el8cf | 0:11.0.1-1.el8cf |
| redhat/rubygem-ffi | <0:1.9.25-1.el8cf | 0:1.9.25-1.el8cf |
| redhat/rubygem-hamlit | <0:2.8.10-1.el8cf | 0:2.8.10-1.el8cf |
| redhat/rubygem-nio4r | <0:2.4.0-1.el8cf | 0:2.4.0-1.el8cf |
| redhat/rubygem-nokogiri | <0:1.8.5-1.el8cf | 0:1.8.5-1.el8cf |
| redhat/rubygem-ovirt-engine-sdk4 | <0:4.3.0-1.el8cf | 0:4.3.0-1.el8cf |
| redhat/rubygem-puma | <0:3.7.1-1.el8cf | 0:3.7.1-1.el8cf |
| redhat/rubygem-rugged | <0:0.28.2-1.el8cf | 0:0.28.2-1.el8cf |
| redhat/rubygem-sassc | <0:2.0.1-1.el8cf | 0:2.0.1-1.el8cf |
| redhat/rubygem-sqlite3 | <0:1.3.13-2.el8cf | 0:1.3.13-2.el8cf |
| redhat/rubygem-surro-gate | <0:1.0.5-1.el8cf | 0:1.0.5-1.el8cf |
| redhat/rubygem-websocket-driver | <0:0.6.5-1.el8cf | 0:0.6.5-1.el8cf |
| redhat/smem | <0:1.4-1.el8cf | 0:1.4-1.el8cf |
| redhat/v2v-conversion-host | <0:1.14.2-1.el8e | 0:1.14.2-1.el8e |
| redhat/wmi | <0:1.3.14-8.el8cf | 0:1.3.14-8.el8cf |
| redhat/ipa | <0:4.6.8-5.el7 | 0:4.6.8-5.el7 |
| redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el8ea | 0:3.3.16-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el9ea | 0:3.3.16-1.Final_redhat_00001.1.el9ea |
| redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el7ea | 0:3.3.16-1.Final_redhat_00001.1.el7ea |
| redhat/ovirt-engine-api-explorer | <0:0.0.4-1.el7e | 0:0.0.4-1.el7e |
| redhat/ovirt-engine-api-explorer | <0:0.0.5-1.el7e | 0:0.0.5-1.el7e |
| redhat/ovirt-engine-ui-extensions | <0:1.0.10-1.el7e | 0:1.0.10-1.el7e |
| redhat/bootstrap | <3.4.0 | 3.4.0 |
| redhat/bootstrap | <4.0.0 | 4.0.0 |
| nuget/bootstrap.sass | >=4.0.0-beta<4.0.0-beta.2 | 4.0.0-beta.2 |
| rubygems/bootstrap-sass | >=2.0.4<3.4.0 | 3.4.0 |
| npm/bootstrap-sass | >=2.0.4<3.4.0 | 3.4.0 |
| nuget/bootstrap | >=4.0.0-beta<4.0.0-beta.2 | 4.0.0-beta.2 |
| nuget/bootstrap | >=2.0.4<3.4.0 | 3.4.0 |
| composer/twbs/bootstrap | >=4.0.0-beta<4.0.0-beta.2 | 4.0.0-beta.2 |
| composer/twbs/bootstrap | >=2.0.4<3.4.0 | 3.4.0 |
| rubygems/bootstrap | <4.0.0-beta.2 | 4.0.0-beta.2 |
| maven/org.webjars:bootstrap | >=4.0.0-beta<4.0.0-beta.2 | 4.0.0-beta.2 |
| maven/org.webjars:bootstrap | >=2.0.4<3.4.0 | 3.4.0 |
| npm/bootstrap | >=2.0.4<3.4.0 | 3.4.0 |
| npm/bootstrap | >=4.0.0-beta<4.0.0-beta.2 | 4.0.0-beta.2 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 | |
| Twitter Bootstrap | >=3.0.0<3.4.0 | |
| Twitter Bootstrap | =4.0.0-beta |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2016-10735 https://nvd.nist.gov/vuln/detail/CVE-2016-10735
- https://bugzilla.redhat.com/show_bug.cgi?id=1668097
- https://access.redhat.com/errata/RHBA-2019:4199
- https://access.redhat.com/errata/RHSA-2020:0133
- https://access.redhat.com/errata/RHSA-2020:3936
- https://access.redhat.com/errata/RHSA-2020:4670
- https://access.redhat.com/errata/RHSA-2020:4847
- https://access.redhat.com/errata/RHSA-2023:0556
- https://access.redhat.com/errata/RHSA-2023:0553
- https://access.redhat.com/errata/RHSA-2023:0554
- https://access.redhat.com/errata/RHSA-2023:0552
- https://access.redhat.com/errata/RHSA-2020:5571
- https://access.redhat.com/errata/RHSA-2020:0132
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/errata/RHBA-2019:1076
- https://access.redhat.com/errata/RHBA-2019:1570
- https://access.redhat.com/errata/RHSA-2019:3023
- https://access.redhat.com/security/cve/cve-2016-10735
- https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
- https://github.com/twbs/bootstrap/issues/20184
- https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
- https://github.com/twbs/bootstrap/pull/23679
- https://github.com/twbs/bootstrap/pull/23687
- https://github.com/twbs/bootstrap/pull/26460
- https://www.tenable.com/security/tns-2021-14
- https://access.redhat.com/security/cve/CVE-2018-14041
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1670553
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1670554
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1670556
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1670555
- https://access.redhat.com/support/policy/updates/satellite
- https://nvd.nist.gov/vuln/detail/CVE-2016-10735
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2016-10735.yml
- https://github.com/github/advisory-database/pull/3281
- https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0
- https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2016-10735.yml
- https://github.com/advisories/GHSA-4p24-vmcr-4gqj (Advisory)
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2016-10735?
CVE-2016-10735 is classified as a medium severity vulnerability due to the potential for cross-site scripting attacks.
How do I fix CVE-2016-10735?
To fix CVE-2016-10735, update your Bootstrap version to 4.0.0 or later.
Which versions of Bootstrap are affected by CVE-2016-10735?
Bootstrap versions prior to 4.0.0 are affected by CVE-2016-10735.
What type of vulnerability is CVE-2016-10735?
CVE-2016-10735 is a cross-site scripting vulnerability that allows remote code execution in a victim's browser.
Who is impacted by CVE-2016-10735?
Web applications utilizing vulnerable versions of Bootstrap are potentially impacted by CVE-2016-10735.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-10735
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4p24-vmcr-4gqj
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/nuget
- package-manager/rubygems
- package-manager/npm
- package-manager/composer
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4
- vendor/getbootstrap
- canonical/twitter bootstrap
- version/twitter bootstrap/3.0.0
- version/twitter bootstrap/4.0.0-beta