Опубликовано: 07 мая 2021
Источник: github
Github: Прошло ревью
CVSS4: 5.3
CVSS3: 6.1
Описание
Cross-site scripting in bootstrap-select
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-20921
- https://github.com/snapappointments/bootstrap-select/issues/2199
- https://github.com/snapappointments/bootstrap-select/commit/ab6e068748040cf3cda5859f6349b382402b8767
- https://issues.jtl-software.de/issues/SHOP-7964
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
Пакеты
Наименование
bootstrap-select
npm
Затронутые версииВерсия исправления
< 1.13.6
1.13.6
Наименование
bootstrap-select
nuget
Затронутые версииВерсия исправления
< 1.13.6
1.13.6
Связанные уязвимости
CVSS3: 6.1
redhat
почти 7 лет назад
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
CVSS3: 6.1
nvd
больше 5 лет назад
bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.