Cross-Site Scripting (XSS) vulnerability - CVE-2024-6484

[mohan26]

Prerequisites

• I have searched for duplicate or closed issues
• I have validated any HTML to avoid common problems
• I have read the contributing guidelines

Describe the issue

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of a tag due to inadequate sanitization. This vulnerability could enable attackers to execute arbitrary JavaScript within the victim's browser.
Found a medium-level vulnerability issue in the Fortify scan for all versions below 5.3.3
References
GHSA-9mvj-f7w8-pvh2

Reduced test cases

vulnerability issue

What operating system(s) are you seeing the problem on?

Windows

What browser(s) are you seeing the problem on?

Chrome

What version of Bootstrap are you using?

5.3.3

[julien-deramond]

Thanks for reporting an issue @mohan26
As mentioned in GHSA-9mvj-f7w8-pvh2 and https://www.herodevs.com/vulnerability-directory/cve-2024-6484, this CVE affects Bootstrap >=2.0.0 <=3.4.1.
Both these versions are EOL (End-Of Life) are won't be updated. It is recommended to upgrade your project to the latest version of Bootstrap.

[mohan26]

@julien-deramond As I have mentioned in the description I have already using upgraded version - 5.3.3 , please recheck on this

[jpsla94]

@julien-deramond As I have mentioned in the description I have already using upgraded version - 5.3.3 , please recheck on this

Hello @julien-deramond,

Any update regarding this?

Best regards,
João Lola

[julien-deramond]

Our security team is evaluating the impact on v5 based on the recent CVEs.
If there's an impact, we'll patch the v5. For now, v5 is considered as not impacted.
This specific CVE, as mentioned in its description is not related to v5. So I'm keeping this issue closed.