First published: Fri Aug 10 2018(Updated: )
Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. A remote attacker could exploit this vulnerability to execute script in a victim''s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ceph | <2:17.2.6-148.el9c | 2:17.2.6-148.el9c |
redhat/ipa | <0:4.6.8-5.el7 | 0:4.6.8-5.el7 |
redhat/ovirt-engine-api-explorer | <0:0.0.4-1.el7e | 0:0.0.4-1.el7e |
redhat/ovirt-engine-api-explorer | <0:0.0.5-1.el7e | 0:0.0.5-1.el7e |
redhat/ovirt-engine-ui-extensions | <0:1.0.10-1.el7e | 0:1.0.10-1.el7e |
Getbootstrap Bootstrap | <3.4.0 | |
redhat/bootstrap | <3.4.0 | 3.4.0 |
nuget/bootstrap | <3.4.0 | 3.4.0 |
rubygems/bootstrap-sass | <3.4.0 | 3.4.0 |
rubygems/bootstrap | <3.4.0 | 3.4.0 |
maven/org.webjars:bootstrap | <3.4.0 | 3.4.0 |
composer/twbs/bootstrap | <3.4.0 | 3.4.0 |
npm/bootstrap-sass | <3.4.0 | 3.4.0 |
npm/bootstrap | <3.4.0 | 3.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2018-20676 is a vulnerability in Bootstrap before version 3.4.0 that allows for cross-site scripting (XSS) in the tooltip data-viewport attribute.
CVE-2018-20676 has a severity score of 6.1, which is considered medium.
Bootstrap versions before 3.4.0 are affected by CVE-2018-20676.
To fix CVE-2018-20676, you should update Bootstrap to version 3.4.0 or later.
You can find more information about CVE-2018-20676 at the following references: [link 1](https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/), [link 2](https://github.com/twbs/bootstrap/issues/27044), [link 3](https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906).