Description

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Bootstrap is a popular library which has used jQuery's plugin mechanism extensively. But the jQuery plugins inside Bootstrap used to be implemented in an unsafe way that could make the users of Bootstrap vulnerable to Cross-site scripting (XSS) attacks. The core mistake is the use of the omnipotent jQuery $-function in places where a more specialized, and safer, function would have sufficed. This is particularly problematic in cases where the $-function evaluates its input as JavaScript-code instead of as a CSS-selector.

Remediation

Upgrade to the latest version of Bootstrap.

References

Cross-site Scripting (XSS) Attack - Acunetix

Fix/xss issues on data attributes

Related Vulnerabilities

WordPress Plugin Shortcode for Font Awesome Cross-Site Scripting (1.4)

WordPress Plugin Product Addons & Fields for WooCommerce Cross-Site Scripting (32.0.6)

WordPress Plugin PowerPack Lite for Beaver Builder Cross-Site Scripting (1.3.0)

WordPress Plugin WassUp Real Time Analytics Cross-Site Scripting (1.9)

WordPress Plugin Video.js-HTML5 Video Player for Wordpress Cross-Site Scripting (4.5.0)

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

XSS