Описание
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | cfme-gemset | Not affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-prometheus | Not affected | ||
| Red Hat Ceph Storage 4 | ceph | Affected | ||
| Red Hat Ceph Storage 5 | ceph | Affected | ||
| Red Hat Decision Manager 7 | bootstrap | Not affected | ||
| Red Hat Discovery 1 | discovery-server-container | Not affected | ||
| Red Hat Enterprise Linux 7 | ipa | Not affected | ||
| Red Hat Enterprise Linux 7 | pki-core | Not affected | ||
| Red Hat Enterprise Linux 8 | 389-ds:1.4/389-ds-base | Under investigation | ||
| Red Hat Enterprise Linux 8 | cockpit | Under investigation |
Показывать по
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
In Bootstrap before 4.1.2, XSS is possible in the data-target property ...
Уязвимость плагина ScrollSpy набора инструментов для создания сайтов и веб-приложений Bootstrap, позволяющая нарушителю осуществлять межсайтовые сценарные атаки
6.1 Medium
CVSS3