CVE-2018-14042
Cross-Site Scripting (XSS) vulnerability in bootstrap (RubyGems)

Cross-Site Scripting (XSS) Proof of concept Fixable By Resolved Security

What is CVE-2018-14042 About?

This vulnerability in Bootstrap versions from 2.3.0 up to, but not including, 3.4.0 and 4.1.2 allows for Cross-Site Scripting (XSS). The `data-container` property of tooltips is susceptible to injection. This makes it relatively easy for an attacker to inject malicious scripts.

Affected Software

  • bootstrap
    • >2.3.0, <3.4.0
    • >4.0.0, <4.1.2
    • >2.3.0, <3.4.0
    • >4.0.0, <4.1.2
    • >2.3.0, <3.4.0
    • >4.0.0, <4.1.2
  • org.webjars:bootstrap
    • >2.3.0, <3.4.0
    • >4.0.0, <4.1.2
  • twbs/bootstrap
    • >2.3.0, <3.4.0
    • >4.0.0, <4.1.2
  • bootstrap-sass
    • >2.3.0, <3.4.0
    • >2.0.4, <3.4.0
  • bootstrap.sass
    • >4.0.0, <4.1.2

Technical Details

In Bootstrap versions 2.3.0 and newer, preceding 3.4.0 and 4.1.2, a Cross-Site Scripting (XSS) vulnerability exists within the data-container property of tooltip components. An attacker can inject malicious script code into this data-container attribute, which is not properly sanitized or encoded before being rendered in the browser. When a user interacts with a tooltip whose data-container attribute contains the crafted payload, the browser executes the injected script within the context of the vulnerable web application, leading to XSS.

What is the Impact of CVE-2018-14042?

Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites.

What is the Exploitability of CVE-2018-14042?

Exploitation is generally low complexity, requiring an attacker to inject malicious script into the data-container property of a tooltip. This usually occurs through an input field on a web application that does not properly sanitize user-supplied data before it is rendered with Bootstrap tooltips. No specific authentication or privileges are needed beyond the ability to submit data that eventually gets displayed in a tooltip. This is a remote vulnerability, affecting end-users who visit a compromised page. The likelihood of exploitation increases significantly if the application frequently uses Bootstrap tooltips with user-controlled data-container values and lacks robust input validation.

What are the Known Public Exploits?

PoC Author Link Commentary
Snorlyd Link Vulnearability Report of the New Jersey official site

What are the Available Fixes for CVE-2018-14042?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch changes how selectors from user-supplied options like parent, container, or viewport are passed to jQuery, ensuring they are searched within document using $(document).find(...) instead of being passed directly to $(). This prevents attacker-supplied values (such as "<img src=1 onerror=...>") from being interpreted as valid selectors or HTML, which would otherwise enable XSS via jQuery's selector engine. By doing this, it fixes CVE-2018-14042, which allowed XSS through crafted options or attributes by blocking selector injection attacks and ensuring only valid CSS selectors are processed.

Available Upgrade Options

  • bootstrap.sass
    • >4.0.0, <4.1.2 → Upgrade to 4.1.2
  • bootstrap-sass
    • >2.0.4, <3.4.0 → Upgrade to 3.4.0
  • twbs/bootstrap
    • >2.3.0, <3.4.0 → Upgrade to 3.4.0
  • twbs/bootstrap
    • >4.0.0, <4.1.2 → Upgrade to 4.1.2
  • org.webjars:bootstrap
    • >2.3.0, <3.4.0 → Upgrade to 3.4.0
  • org.webjars:bootstrap
    • >4.0.0, <4.1.2 → Upgrade to 4.1.2
  • bootstrap
    • >2.3.0, <3.4.0 → Upgrade to 3.4.0
  • bootstrap
    • >4.0.0, <4.1.2 → Upgrade to 4.1.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-14042?

Similar Vulnerabilities: CVE-2018-14041 , CVE-2019-8331 , CVE-2020-5221 , CVE-2020-15383 , CVE-2021-23377

All Rights reserved 2025
Privacy Policy