Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-9v3m-8fp8-mj99

GitHub Security Advisory

Bootstrap Vulnerable to Cross-Site Scripting

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Versions of `bootstrap` prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The `data-template` attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

## Recommendation

For `bootstrap` 4.x upgrade to 4.3.1 or later.
For `bootstrap` 3.x upgrade to 3.4.1 or later.

Affected Packages

RubyGems bootstrap
Affected versions: 0 (fixed in 4.3.1)
RubyGems bootstrap-sass
Affected versions: 3.0.0 (fixed in 3.4.1)
NuGet Bootstrap.Less
Affected versions: 3.0.0 (fixed in 3.4.1)
NuGet bootstrap
Affected versions: 4.0.0 (fixed in 4.3.1)
NuGet bootstrap
Affected versions: 3.0.0 (fixed in 3.4.1)
NuGet bootstrap.sass
Affected versions: 0 (fixed in 4.3.1)
npm bootstrap
Affected versions: 4.0.0 (fixed in 4.3.1)
npm bootstrap
Affected versions: 3.0.0 (fixed in 3.4.1)
npm bootstrap-sass
Affected versions: 3.0.0 (fixed in 3.4.1)
RubyGems twitter-bootstrap-rails
Affected versions: 0 (last affected: 5.0.0)
Maven org.webjars:bootstrap
Affected versions: 3.0.0 (fixed in 3.4.1)
Maven org.webjars:bootstrap
Affected versions: 4.0.0 (fixed in 4.3.1)
Packagist twbs/bootstrap
Affected versions: 3.0.0 (fixed in 3.4.1)
Packagist twbs/bootstrap
Affected versions: 4.0.0 (fixed in 4.3.1)

Related CVEs

CVE-2019-8331

Key Information

GHSA ID
GHSA-9v3m-8fp8-mj99
Published
February 22, 2019 8:54 PM
Last Modified
August 1, 2024 9:03 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
bootstrap
GitHub Reviewed
✓ Yes

Dataset

Last updated: October 1, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.