bootstrap-3.4.1.min.js: 1 vulnerabilities (highest severity is: 6.4) #385
Description
Vulnerable Library - bootstrap-3.4.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.4.1/js/bootstrap.min.js
Path to dependency file: /licenses/mit license - mit-license.html
Path to vulnerable library: /licenses/mit license - mit-license.html,/licenses/public domain, per creative commons cc0 - 1.0.html
Found in HEAD commit: 59403f1cfff628956549b34b2abc1fc6294ce3b4
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (bootstrap version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-6484 |  Medium |
6.4 | bootstrap-3.4.1.min.js | Direct | org.webjars.npm:bootstrap - 4.0.0-alpha.2;bootstrap.sass - 4.0.0-alpha;twbs/bootstrap - dev-dependabot/npm_and_yarn/rtlcss-3.1.1,dev-dependabot/npm_and_yarn/nodemon-3.1.3,dev-XhmikosR-patch-3,dev-dependabot/npm_and_yarn/rtlcss-3.4.0,dev-dependabot/npm_and_yarn/find-unused-sass-variables-3.1.0,dev-dependabot/npm_and_yarn/linkinator-2.4.0,dev-dependabot/npm_and_yarn/rollup-3.5.0,dev-dependabot/npm_and_yarn/nodemon-3.0.1,dev-dependabot/npm_and_yarn/rollup-3.2.5,dev-dependabot/npm_and_yarn/nodemon-3.0.2,dev-dependabot/npm_and_yarn/nodemon-3.0.3;bootstrap - 4.0.0;bootstrap - 3.3.6-jQuery3,4.0.0-alpha;org.webjars:bootstrap - 4.0.0-alpha | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-6484
Vulnerable Library - bootstrap-3.4.1.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.4.1/js/bootstrap.min.js
Path to dependency file: /licenses/mit license - mit-license.html
Path to vulnerable library: /licenses/mit license - mit-license.html,/licenses/public domain, per creative commons cc0 - 1.0.html
Dependency Hierarchy:
- ❌ bootstrap-3.4.1.min.js (Vulnerable Library)
Found in HEAD commit: 59403f1cfff628956549b34b2abc1fc6294ce3b4
Found in base branch: main
Vulnerability Details
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
Publish Date: 2024-07-11
URL: CVE-2024-6484
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-6484
Release Date: 2024-07-11
Fix Resolution: org.webjars.npm:bootstrap - 4.0.0-alpha.2;bootstrap.sass - 4.0.0-alpha;twbs/bootstrap - dev-dependabot/npm_and_yarn/rtlcss-3.1.1,dev-dependabot/npm_and_yarn/nodemon-3.1.3,dev-XhmikosR-patch-3,dev-dependabot/npm_and_yarn/rtlcss-3.4.0,dev-dependabot/npm_and_yarn/find-unused-sass-variables-3.1.0,dev-dependabot/npm_and_yarn/linkinator-2.4.0,dev-dependabot/npm_and_yarn/rollup-3.5.0,dev-dependabot/npm_and_yarn/nodemon-3.0.1,dev-dependabot/npm_and_yarn/rollup-3.2.5,dev-dependabot/npm_and_yarn/nodemon-3.0.2,dev-dependabot/npm_and_yarn/nodemon-3.0.3;bootstrap - 4.0.0;bootstrap - 3.3.6-jQuery3,4.0.0-alpha;org.webjars:bootstrap - 4.0.0-alpha
Step up your Open Source Security Game with Mend here