First published: Tue May 29 2018(Updated: )
A flaw was found in Bootstrap from version 4.0 and before 4.1.2. A Cross-site Scripting (XSS) is possible in the collapse data-parent attribute. References: <a href="https://github.com/twbs/bootstrap/issues/26625">https://github.com/twbs/bootstrap/issues/26625</a> Upstream Patch: <a href="https://github.com/twbs/bootstrap/pull/26630">https://github.com/twbs/bootstrap/pull/26630</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ipa | <0:4.6.8-5.el7 | 0:4.6.8-5.el7 |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el8ea | 0:3.3.16-1.Final_redhat_00001.1.el8ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el9ea | 0:3.3.16-1.Final_redhat_00001.1.el9ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el7ea | 0:3.3.16-1.Final_redhat_00001.1.el7ea |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
Debian Debian Linux | =8.0 | |
Getbootstrap Bootstrap | <3.4.0 | |
Getbootstrap Bootstrap | >=4.0.0<4.1.2 | |
Getbootstrap Bootstrap | =4.0.0-alpha | |
Getbootstrap Bootstrap | =4.0.0-alpha2 | |
Getbootstrap Bootstrap | =4.0.0-alpha3 | |
Getbootstrap Bootstrap | =4.0.0-alpha4 | |
Getbootstrap Bootstrap | =4.0.0-alpha5 | |
Getbootstrap Bootstrap | =4.0.0-alpha6 | |
Getbootstrap Bootstrap | =4.0.0-beta | |
Getbootstrap Bootstrap | =4.0.0-beta2 | |
Getbootstrap Bootstrap | =4.0.0-beta3 | |
rubygems/bootstrap | >=2.3.0<3.4.0 | 3.4.0 |
npm/bootstrap | >=2.3.0<3.4.0 | 3.4.0 |
rubygems/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
npm/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
redhat/bootstrap | <4.1.2 | 4.1.2 |
redhat/bootstrap | <3.4.1 | 3.4.1 |
composer/twbs/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
composer/twbs/bootstrap | >=2.3.0<3.4.0 | 3.4.0 |
rubygems/bootstrap-sass | >=2.3.0<3.4.0 | 3.4.0 |
nuget/bootstrap.sass | >=4.0.0<4.1.2 | 4.1.2 |
nuget/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
nuget/bootstrap | >=2.3.0<3.4.0 | 3.4.0 |
maven/org.webjars:bootstrap | >=2.3.0<3.4.0 | 3.4.0 |
maven/org.webjars:bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2018-14040 is medium.
CVE-2018-14040 affects Bootstrap by allowing cross-site scripting (XSS) attacks through the collapse data-parent attribute.
Yes, the known remedy for CVE-2018-14040 is to update Bootstrap to version 4.1.2.
The Common Weakness Enumeration (CWE) identifier for CVE-2018-14040 is CWE-79.
More information about CVE-2018-14040 can be found at the following references: [link1], [link2], [link3].