CVE-2018-14041: XSS
First published: Tue May 29 2018(Updated: )
A flaw was found in Bootstrap from version 4.0 and before 4.1.2. A Cross-site Scripting (XSS) is possible in the data-target property of scrollspy. References: <a href="https://github.com/twbs/bootstrap/issues/26627">https://github.com/twbs/bootstrap/issues/26627</a> Upstream Patch: <a href="https://github.com/twbs/bootstrap/pull/26630">https://github.com/twbs/bootstrap/pull/26630</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/typo3/cms | >=8.0.0<8.7.23>=9.0.0<9.5.4 | |
| composer/typo3/cms-core | >=8.0.0<8.7.23>=9.0.0<9.5.4 | |
| redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el8ea | 0:3.3.16-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el9ea | 0:3.3.16-1.Final_redhat_00001.1.el9ea |
| redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el7ea | 0:3.3.16-1.Final_redhat_00001.1.el7ea |
| Getbootstrap Bootstrap | >=4.0.0<4.1.2 | |
| Getbootstrap Bootstrap | =4.0.0-alpha | |
| Getbootstrap Bootstrap | =4.0.0-alpha2 | |
| Getbootstrap Bootstrap | =4.0.0-alpha3 | |
| Getbootstrap Bootstrap | =4.0.0-alpha4 | |
| Getbootstrap Bootstrap | =4.0.0-alpha5 | |
| Getbootstrap Bootstrap | =4.0.0-alpha6 | |
| Getbootstrap Bootstrap | =4.0.0-beta | |
| Getbootstrap Bootstrap | =4.0.0-beta2 | |
| Getbootstrap Bootstrap | =4.0.0-beta3 | |
| redhat/bootstrap | <4.1.2 | 4.1.2 |
| composer/typo3/cms | >=9.0.0<9.5.4 | 9.5.4 |
| composer/typo3/cms | >=8.0.0<8.7.23 | 8.7.23 |
| composer/typo3/cms-core | >=9.0.0<9.5.4 | 9.5.4 |
| composer/typo3/cms-core | >=8.0.0<8.7.23 | 8.7.23 |
| npm/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
| maven/org.webjars:bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
| nuget/bootstrap.sass | >=4.0.0<4.1.2 | 4.1.2 |
| nuget/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
| composer/twbs/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
| rubygems/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://typo3.org/security/advisory/typo3-core-sa-2019-006
- https://www.cve.org/CVERecord?id=CVE-2018-14041 https://nvd.nist.gov/vuln/detail/CVE-2018-14041
- https://bugzilla.redhat.com/show_bug.cgi?id=1601616
- https://access.redhat.com/errata/RHSA-2023:0556
- https://access.redhat.com/errata/RHSA-2023:0553
- https://access.redhat.com/errata/RHSA-2023:0554
- https://access.redhat.com/errata/RHSA-2023:0552
- https://access.redhat.com/errata/RHSA-2019:1456
- https://access.redhat.com/security/cve/CVE-2018-14041
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- http://seclists.org/fulldisclosure/2019/May/10
- http://seclists.org/fulldisclosure/2019/May/11
- http://seclists.org/fulldisclosure/2019/May/13
- https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
- https://github.com/twbs/bootstrap/issues/26423
- https://github.com/twbs/bootstrap/issues/26627
- https://github.com/twbs/bootstrap/pull/26630
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@%3Cissues.hbase.apache.org%3E
- https://seclists.org/bugtraq/2019/May/18
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2183421
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2183418
- https://access.redhat.com/errata/RHSA-2023:5693
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2018-14041
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2018-14041.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2018-14041.yaml
- https://github.com/advisories/GHSA-pj7m-g53m-7638 (Advisory)
- https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/146467
- https://www.ibm.com/support/pages/node/6336361 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID of this cross-site scripting vulnerability in Bootstrap CSS toolkit?
The vulnerability ID is CVE-2018-14041.
What is the severity of CVE-2018-14041?
The severity of CVE-2018-14041 is medium (6.1).
Which software versions are affected by CVE-2018-14041?
The affected software versions are TYPO3 CMS versions 8.0.0 to 8.7.23 and 9.0.0 to 9.5.4, and Red Hat EAP7 HAL Console versions 0:3.3.16-1.Final_redhat_00001.1.el8ea, 0:3.3.16-1.Final_redhat_00001.1.el9ea, and 0:3.3.16-1.Final_redhat_00001.1.el7ea.
How does this vulnerability in Bootstrap CSS toolkit affect the user?
This vulnerability allows a remote attacker to execute scripts in a victim's web browser within the security context of the hosting website.
How can I mitigate the cross-site scripting vulnerability in Bootstrap CSS toolkit?
To mitigate this vulnerability, update to TYPO3 CMS versions 8.7.24 or 9.5.5, or apply the appropriate patch provided by Red Hat for EAP7 HAL Console.
- collector/friends-of-php
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-14041
- agent/software-canonical-lookup
- agent/author
- collector/nvd-cve
- source/NVD
- agent/description
- collector/github-advisory
- source/GitHub
- alias/GHSA-pj7m-g53m-7638
- collector/github-advisory-latest
- agent/last-modified-date
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/references
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- package-manager/redhat
- vendor/getbootstrap
- canonical/getbootstrap bootstrap
- version/getbootstrap bootstrap/4.0.0
- version/getbootstrap bootstrap/4.0.0-alpha
- version/getbootstrap bootstrap/4.0.0-alpha2
- version/getbootstrap bootstrap/4.0.0-alpha3
- version/getbootstrap bootstrap/4.0.0-alpha4
- version/getbootstrap bootstrap/4.0.0-alpha5
- version/getbootstrap bootstrap/4.0.0-alpha6
- version/getbootstrap bootstrap/4.0.0-beta
- version/getbootstrap bootstrap/4.0.0-beta2
- version/getbootstrap bootstrap/4.0.0-beta3
- package-manager/npm
- package-manager/maven
- package-manager/nuget
- package-manager/rubygems