CVE-2018-14040
XSS (Cross-Site Scripting) vulnerability in bootstrap (npm)
What is CVE-2018-14040 About?
This vulnerability is an XSS flaw in Bootstrap versions 2.3.0 through 3.4.0, and 4.x before 4.1.2, affecting the `data-parent` attribute of the collapse component. Attackers can inject and execute arbitrary scripts, leading to client-side compromise. Exploitation depends on the ability to embed malicious content in the `data-parent` attribute, requiring some form of content injection.
Affected Software
- bootstrap
- >2.3.0, <3.4.0
- >4.0.0, <4.1.2
- >2.3.0, <3.4.0
- >4.0.0, <4.1.2
- >2.3.0, <3.4.0
- >4.0.0, <4.1.2
- org.webjars:bootstrap
- >2.3.0, <3.4.0
- >4.0.0, <4.1.2
- bootstrap.sass
- >4.0.0, <4.1.2
- bootstrap-sass
- >2.3.0, <3.4.0
- twbs/bootstrap
- >2.3.0, <3.4.0
- >4.0.0, <4.1.2
Technical Details
The XSS vulnerability in Bootstrap's collapse component arises from insufficient sanitization of the data-parent attribute. Specifically, in versions 2.3.0 up to 3.4.0, and 4.x before 4.1.2, if an attacker can inject malicious content into this attribute, it can be executed as a script in the user's browser. This occurs because the data-parent attribute is processed and potentially evaluated in a way that allows JavaScript code to run if improperly formed, leading to a Cross-Site Scripting attack that leverages the browser's trust in rendered page content.
What is the Impact of CVE-2018-14040?
Successful exploitation may allow attackers to execute arbitrary client-side script code in the context of the user's browser, leading to session hijacking, data exfiltration, or defacement of the affected website.
What is the Exploitability of CVE-2018-14040?
Exploitation requires the ability to inject malicious content into the data-parent attribute of a Bootstrap collapse component. This typically occurs through user-controlled input fields on a web application that do not properly sanitize HTML before rendering. The attack is client-side, targeting the end-user's browser, and can be triggered remotely. The complexity is moderate, as it relies on specific HTML attribute manipulation. No explicit authentication or privilege requirements are mentioned, but the capacity to inject content usually implies at least low-privileged access or a content contribution role. The availability of proof-of-concept exploits suggests that the methods for exploitation are known and relatively straightforward to implement.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Yumeae | Link | A poc for Bootstrap XSS(CVE-2024-6485、CVE-2016-10735、CVE-2019-8331、CVE-2018-14040) |
| Snorlyd | Link | Vulnearability Report of the New Jersey official site |
What are the Available Fixes for CVE-2018-14040?
About the Fix from Resolved Security
The patch mitigates the vulnerability CVE-2018-14040 by replacing direct use of user-provided selectors with $(document).find(...) in Bootstrap's JavaScript, ensuring that invalid or malicious selectors (like those with inline scripts) throw an exception and do not result in selector injection or DOM-based XSS. This prevents attacker-controlled input in options like container, parent, or target from being interpreted as a selector that could inject executable HTML, eliminating the risk of XSS via crafted data attributes or options.
Available Upgrade Options
- bootstrap-sass
- >2.3.0, <3.4.0 → Upgrade to 3.4.0
- org.webjars:bootstrap
- >2.3.0, <3.4.0 → Upgrade to 3.4.0
- org.webjars:bootstrap
- >4.0.0, <4.1.2 → Upgrade to 4.1.2
- twbs/bootstrap
- >2.3.0, <3.4.0 → Upgrade to 3.4.0
- twbs/bootstrap
- >4.0.0, <4.1.2 → Upgrade to 4.1.2
- bootstrap
- >2.3.0, <3.4.0 → Upgrade to 3.4.0
- bootstrap
- >4.0.0, <4.1.2 → Upgrade to 4.1.2
- bootstrap.sass
- >4.0.0, <4.1.2 → Upgrade to 4.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://seclists.org/bugtraq/2019/May/18
- https://github.com/twbs/bootstrap/pull/26630
- https://lists.debian.org/debian-lts-announce/2018/08/msg00027.html
- http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2018-14040.yml
- https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d
- https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
What are Similar Vulnerabilities to CVE-2018-14040?
Similar Vulnerabilities: CVE-2024-6531 , CVE-2023-45803 , CVE-2023-29007 , CVE-2023-28929 , CVE-2022-40156
