CVE-2019-20921
Cross-Site Scripting (XSS) vulnerability in bootstrap-select (npm)
What is CVE-2019-20921 About?
This Cross-Site Scripting (XSS) vulnerability in bootstrap-select allows attackers to inject and execute arbitrary JavaScript by failing to escape title values in OPTION elements. Exploitation is relatively easy if an attacker can control user-supplied input that is displayed in the select options, potentially leading to session hijacking or defacement.
Affected Software
- bootstrap-select
- <1.13.6
- <1.13.6
Technical Details
The vulnerability affects bootstrap-select versions prior to 1.13.6. It stems from improper sanitization or escaping of user-supplied data that is subsequently rendered within the title attribute of OPTION elements. When an attacker provides a malicious string containing JavaScript payload (e.g., <script>alert('XSS')</script>) as a title value within an OPTION tag, the JavaScript is not escaped. Consequently, when a victim's browser renders this content, the unescaped script is executed in the context of the user's browser, bypassing the browser's Same-Origin Policy. This can occur if the application uses attacker-controlled data to populate the OPTION elements of a bootstrap-select dropdown without adequate input validation and output encoding.
What is the Impact of CVE-2019-20921?
Successful exploitation may allow attackers to execute arbitrary script code in the context of the victim's browser, steal session cookies, deface the website, redirect users to malicious sites, or perform other client-side attacks.
What is the Exploitability of CVE-2019-20921?
Exploitation complexity is low to medium, depending on the application's ability to accept and render user-controlled input into OPTION elements. No authentication is typically required for the attack itself, although creating the malicious input might require authenticated access to a vulnerable input field. This is a remote attack, as the malicious payload is delivered via the web application. No special privileges are usually required. The primary condition is that the application must reflect unescaped user-controlled input into the title attribute of OPTION elements rendered by bootstrap-select. Risk factors are increased when web applications do not implement proper input validation and output encoding for user-supplied data displayed in dropdowns.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-20921?
Available Upgrade Options
- bootstrap-select
- <1.13.6 → Upgrade to 1.13.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://issues.jtl-software.de/issues/SHOP-7964
- https://www.npmjs.com/advisories/1522
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
- https://issues.jtl-software.de/issues/SHOP-7964
- https://osv.dev/vulnerability/GHSA-7c82-mp33-r854
- https://nvd.nist.gov/vuln/detail/CVE-2019-20921
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
- https://github.com/snapappointments/bootstrap-select/issues/2199
- https://github.com/advisories/GHSA-9r7h-6639-v5mw
- https://github.com/snapappointments/bootstrap-select/commit/ab6e068748040cf3cda5859f6349b382402b8767
What are Similar Vulnerabilities to CVE-2019-20921?
Similar Vulnerabilities: CVE-2022-24754 , CVE-2021-39145 , CVE-2020-13645 , CVE-2019-15553 , CVE-2018-1000840
