Description

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Bootstrap is a popular library which has used jQuery's plugin mechanism extensively. But the jQuery plugins inside Bootstrap used to be implemented in an unsafe way that could make the users of Bootstrap vulnerable to Cross-site scripting (XSS) attacks. The core mistake is the use of the omnipotent jQuery $-function in places where a more specialized, and safer, function would have sufficed. This is particularly problematic in cases where the $-function evaluates its input as JavaScript-code instead of as a CSS-selector.

Remediation

Upgrade to the latest version of Bootstrap.

References

Related Vulnerabilities