CVE-2016-10735
XSS vulnerability in bootstrap
What is CVE-2016-10735 About?
This vulnerability is a Cross-Site Scripting (XSS) flaw in Bootstrap affecting versions 2.x and 3.x, and 4.x-beta. It allows attackers to inject arbitrary scripts into web pages via the 'data-target' attribute. Exploiting this is relatively straightforward, as it relies on user-supplied input.
Affected Software
- bootstrap
- >2.0.4, <3.4.0
- >4.0.0-beta, <4.0.0-beta.2
- <4.0.0-beta.2
- >2.0.4, <3.4.0
- >4.0.0-beta, <4.0.0-beta.2
- org.webjars:bootstrap
- >2.0.4, <3.4.0
- >4.0.0-beta, <4.0.0-beta.2
- twbs/bootstrap
- >2.0.4, <3.4.0
- >4.0.0-beta, <4.0.0-beta.2
- bootstrap-sass
- >2.0.4, <3.4.0
- >2.0.4, <3.4.0
- bootstrap.sass
- >4.0.0-beta, <4.0.0-beta.2
Technical Details
In Bootstrap versions 2.x from 2.0.4, 3.x before 3.4.0, and 4.x-beta before 4.0.0-beta.2, an XSS vulnerability exists due to improper sanitization or encoding of data provided to the 'data-target' attribute. An attacker can inject malicious script code into this attribute which, when rendered by a victim's browser, will execute within the context of the vulnerable web application. This allows for client-side attacks like session hijacking, defacement, or redirection.
What is the Impact of CVE-2016-10735?
Successful exploitation may allow attackers to execute arbitrary script code in the context of the victim's browser, steal sensitive information, perform actions on behalf of the victim, or deface web content.
What is the Exploitability of CVE-2016-10735?
Exploitation is of low complexity, typically requiring an attacker to craft a malicious link or inject content into a predictable location that utilizes the 'data-target' attribute. No authentication is strictly required for the initial injection, though specific application contexts might require it. It is a remote vulnerability, as the attack is launched through a web interface. The primary prerequisite is that user-supplied input is reflected in the HTML where the 'data-target' attribute is used without proper sanitization. The likelihood of exploitation increases when web applications allow users to submit unvalidated content that is then displayed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Yumeae | Link | A poc for Bootstrap XSS(CVE-2024-6485、CVE-2016-10735、CVE-2019-8331、CVE-2018-14040) |
What are the Available Fixes for CVE-2016-10735?
Available Upgrade Options
- bootstrap.sass
- >4.0.0-beta, <4.0.0-beta.2 → Upgrade to 4.0.0-beta.2
- org.webjars:bootstrap
- >2.0.4, <3.4.0 → Upgrade to 3.4.0
- org.webjars:bootstrap
- >4.0.0-beta, <4.0.0-beta.2 → Upgrade to 4.0.0-beta.2
- twbs/bootstrap
- >2.0.4, <3.4.0 → Upgrade to 3.4.0
- twbs/bootstrap
- >4.0.0-beta, <4.0.0-beta.2 → Upgrade to 4.0.0-beta.2
- bootstrap-sass
- >2.0.4, <3.4.0 → Upgrade to 3.4.0
- bootstrap
- >2.0.4, <3.4.0 → Upgrade to 3.4.0
- bootstrap
- >4.0.0-beta, <4.0.0-beta.2 → Upgrade to 4.0.0-beta.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:1456
- https://github.com/twbs/bootstrap/pull/23679
- https://access.redhat.com/errata/RHBA-2019:1570
- https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
- https://access.redhat.com/errata/RHBA-2019:1076
- https://nvd.nist.gov/vuln/detail/CVE-2016-10735
- https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
- https://access.redhat.com/errata/RHSA-2020:0132
- https://github.com/twbs/bootstrap/pull/26460
- https://github.com/twbs/bootstrap/pull/23687
What are Similar Vulnerabilities to CVE-2016-10735?
Similar Vulnerabilities: CVE-2018-14041 , CVE-2013-10002 , CVE-2019-10742 , CVE-2020-5231 , CVE-2022-24990
