Description

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Bootstrap is a popular library which has used jQuery's plugin mechanism extensively. But the jQuery plugins inside Bootstrap used to be implemented in an unsafe way that could make the users of Bootstrap vulnerable to Cross-site scripting (XSS) attacks. The core mistake is the use of the omnipotent jQuery $-function in places where a more specialized, and safer, function would have sufficed. This is particularly problematic in cases where the $-function evaluates its input as JavaScript-code instead of as a CSS-selector.

Remediation

Upgrade to the latest version of Bootstrap.

References

Cross-site Scripting (XSS) Attack - Acunetix

Fix/xss issues on data attributes

Related Vulnerabilities

WordPress Plugin Click to Chat Cross-Site Scripting (1.6)

WordPress Plugin Google Captcha (reCAPTCHA) by BestWebSoft Cross-Site Scripting (1.05)

WordPress Plugin Custom Text Selection Colors Cross-Site Scripting (1.0)

WordPress Plugin WpPygments Multiple Cross-Site Scripting Vulnerabilities (0.3.2)

WordPress Plugin All In One Schema.org Rich Snippets Cross-Site Scripting (1.4.4)

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

XSS