CVE-2019-20921: XSS
First published: Thu Feb 14 2019(Updated: )
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ovirt-web-ui | <0:1.6.7-1.el8e | 0:1.6.7-1.el8e |
| redhat/ovirt-engine-ui-extensions | <0:1.2.5-1.el8e | 0:1.2.5-1.el8e |
| redhat/nodejs-bootstrap-select | <1.13.6 | 1.13.6 |
| nuget/bootstrap-select | <1.13.6 | 1.13.6 |
| npm/bootstrap-select | <1.13.6 | 1.13.6 |
| Easy!Appointments | <1.13.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-20921 https://nvd.nist.gov/vuln/detail/CVE-2019-20921 https://github.com/advisories/GHSA-9r7h-6639-v5mw https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
- https://bugzilla.redhat.com/show_bug.cgi?id=1882273
- https://access.redhat.com/errata/RHSA-2021:1169
- https://access.redhat.com/errata/RHSA-2021:1186
- https://access.redhat.com/security/cve/cve-2019-20921
- https://github.com/advisories/GHSA-9r7h-6639-v5mw
- https://github.com/snapappointments/bootstrap-select/issues/2199
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
- https://www.npmjs.com/advisories/1522
- https://github.com/snapappointments/bootstrap-select/commit/9c0dc0dc06258c5993be3e5048b8919377a704ec
- https://nvd.nist.gov/vuln/detail/CVE-2019-20921
- https://github.com/snapappointments/bootstrap-select/commit/ab6e068748040cf3cda5859f6349b382402b8767
- https://github.com/advisories/GHSA-7c82-mp33-r854 (Advisory)
- https://issues.jtl-software.de/issues/SHOP-7964
Frequently Asked Questions
What is the severity of CVE-2019-20921?
CVE-2019-20921 is classified as a medium severity vulnerability due to its potential for Cross-Site Scripting (XSS) attacks.
How do I fix CVE-2019-20921?
To fix CVE-2019-20921, update to bootstrap-select version 1.13.6 or later.
What types of applications are affected by CVE-2019-20921?
CVE-2019-20921 affects applications using bootstrap-select versions prior to 1.13.6, particularly those using the library for handling dropdowns.
What is Cross-Site Scripting (XSS) in the context of CVE-2019-20921?
In the context of CVE-2019-20921, Cross-Site Scripting (XSS) allows attackers to execute arbitrary JavaScript in the user's browser, potentially compromising user data.
Who is impacted by CVE-2019-20921?
Users of applications that incorporate vulnerable versions of bootstrap-select are impacted by CVE-2019-20921.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-20921
- agent/software-canonical-lookup
- agent/author
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7c82-mp33-r854
- agent/last-modified-date
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- package-manager/redhat
- package-manager/nuget
- package-manager/npm
- vendor/snapappointments
- canonical/easy!appointments