First published: Tue May 29 2018(Updated: )
A flaw was found in Bootstrap from version 4.0 and before 4.1.2. A Cross-site Scripting (XSS) is possible in the data-target property of scrollspy. References: <a href="https://github.com/twbs/bootstrap/issues/26627">https://github.com/twbs/bootstrap/issues/26627</a> Upstream Patch: <a href="https://github.com/twbs/bootstrap/pull/26630">https://github.com/twbs/bootstrap/pull/26630</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
composer/typo3/cms | >=8.0.0<8.7.23>=9.0.0<9.5.4 | |
composer/typo3/cms-core | >=8.0.0<8.7.23>=9.0.0<9.5.4 | |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el8ea | 0:3.3.16-1.Final_redhat_00001.1.el8ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el9ea | 0:3.3.16-1.Final_redhat_00001.1.el9ea |
redhat/eap7-hal-console | <0:3.3.16-1.Final_redhat_00001.1.el7ea | 0:3.3.16-1.Final_redhat_00001.1.el7ea |
Getbootstrap Bootstrap | >=4.0.0<4.1.2 | |
Getbootstrap Bootstrap | =4.0.0-alpha | |
Getbootstrap Bootstrap | =4.0.0-alpha2 | |
Getbootstrap Bootstrap | =4.0.0-alpha3 | |
Getbootstrap Bootstrap | =4.0.0-alpha4 | |
Getbootstrap Bootstrap | =4.0.0-alpha5 | |
Getbootstrap Bootstrap | =4.0.0-alpha6 | |
Getbootstrap Bootstrap | =4.0.0-beta | |
Getbootstrap Bootstrap | =4.0.0-beta2 | |
Getbootstrap Bootstrap | =4.0.0-beta3 | |
redhat/bootstrap | <4.1.2 | 4.1.2 |
maven/org.webjars:bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
nuget/bootstrap.sass | >=4.0.0<4.1.2 | 4.1.2 |
nuget/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
composer/twbs/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
rubygems/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
composer/typo3/cms | >=9.0.0<9.5.4 | 9.5.4 |
composer/typo3/cms | >=8.0.0<8.7.23 | 8.7.23 |
composer/typo3/cms-core | >=9.0.0<9.5.4 | 9.5.4 |
composer/typo3/cms-core | >=8.0.0<8.7.23 | 8.7.23 |
npm/bootstrap | >=4.0.0<4.1.2 | 4.1.2 |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID is CVE-2018-14041.
The severity of CVE-2018-14041 is medium (6.1).
The affected software versions are TYPO3 CMS versions 8.0.0 to 8.7.23 and 9.0.0 to 9.5.4, and Red Hat EAP7 HAL Console versions 0:3.3.16-1.Final_redhat_00001.1.el8ea, 0:3.3.16-1.Final_redhat_00001.1.el9ea, and 0:3.3.16-1.Final_redhat_00001.1.el7ea.
This vulnerability allows a remote attacker to execute scripts in a victim's web browser within the security context of the hosting website.
To mitigate this vulnerability, update to TYPO3 CMS versions 8.7.24 or 9.5.5, or apply the appropriate patch provided by Red Hat for EAP7 HAL Console.