-
Bug
-
Resolution: Won't Do
-
Medium
-
None
-
Dublin Release
bootstrap.js is vulnerable to cross-site scripting (XSS). The data-target attribute in bootstrap.js interprets encoded HTML entities as standard HTML entities, allowing an attacker to craft input containing malicious JavaScript and injecting it into the data-target attribute, resulting in cross site scripting.
The following CVEs are related to specific XSS vulnerabilities that are addressed in version 4.1.2:
CVE-20180-14042
CVE-2018-20676
CVE-2018-20677
There is no completely non-vulnerable version of bootstrap.js. Alternatives should be investigated.