New 4.6.x version solving CVE-2024-6531

[rasputino]

Prerequisites

• I have searched for duplicate or closed feature requests
• I have read the contributing guidelines

Proposal

Create a new 4.6.3 version solving the vulnerability.

Motivation and context

There is a vulnerability affecting from 4.0.0 through 4.6.2 versions:
https://www.cve.org/CVERecord?id=CVE-2024-6531

[coliff]

Bootstrap v4 has been EOL since 2023-01-01 and won't receive any patches here.

You can either pay for support https://www.herodevs.com/support/nes-bootstrap or update to Bootstrap v5

[louismaximepiton]

Just as @coliff said, the Bootstrap v4 is EOL and there won't be any patch on our side.

[rasputino]

Understood, thanks!

[simonsystem]

I'm really annoyed, that bootstrap doesn't want to fix that issue for bootstrap v4. Paying for support isn't an option for many people, upgrading to bootstrap v5 isn't either.

So my idea is to create a fork of bootstrap v4 or participate to an already existing one, fixing all upcoming CVEs.
@rasputino How did you solve your problem? Can we develop a fix together and create a fork. If you have a PR, i would appreciate it.
@mhassan1 Would you use a fork for bootstrap v4 in your CyberChef project?

[rasputino]

@simonsystem The vulnerability identified in Bootstrap exposes users to Cross-Site Scripting (XSS) attacks. This issue occurs in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an a tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

Therefore, it should not affect your page if you are not using the carousel component.