CVE-2019-8331: Cross-Site Scripting (XSS) vulnerability in bootstrap

What is CVE-2019-8331 About?

This vulnerability is a Cross-Site Scripting (XSS) issue in `bootstrap` versions prior to 3.4.1 (for 3.x) and 4.3.1 (for 4.x). It enables attackers to execute arbitrary JavaScript due to a lack of input sanitization in the `data-template` attribute of tooltip and popover plugins. The ease of exploitation is moderate, requiring specific conditions to be met.

Affected Software

bootstrap
- <4.3.1
- >4.0.0, <4.3.1
- >3.0.0, <3.4.1
- >4.0.0, <4.3.1
- >3.0.0, <3.4.1
bootstrap-sass
- >3.0.0, <3.4.1
- >3.0.0, <3.4.1
Bootstrap.Less
- >3.0.0, <3.4.1
bootstrap.sass
- <4.3.1
twitter-bootstrap-rails
- <=5.0.0
org.webjars:bootstrap
- >4.0.0, <4.3.1
- >3.0.0, <3.4.1
twbs/bootstrap
- >4.0.0, <4.3.1
- >3.0.0, <3.4.1

Technical Details

The XSS vulnerability in `bootstrap` arises because the `data-template` attribute used by the tooltip and popover plugins does not properly sanitize user-supplied input. An attacker can craft a malicious string containing JavaScript code and inject it into the `data-template` attribute through an application that uses vulnerable `bootstrap` versions and allows user-controlled input into these attributes. When a user interacts with the affected tooltip or popover, the embedded JavaScript will be executed in the context of the user's browser, leading to client-side code execution. This is a client-side vulnerability where the malicious payload is delivered via the HTML structure.

What is the Impact of CVE-2019-8331?

Successful exploitation may allow attackers to execute arbitrary client-side scripts, compromise user sessions, plant web skimmers, or deface web content.

What is the Exploitability of CVE-2019-8331?

Exploitation of this XSS vulnerability requires moderate complexity, as the attacker needs to inject malicious content into the `data-template` attribute of `bootstrap` tooltips or popovers. This usually implies that the attacker has control over some data displayed by the application that is then rendered into these specific attributes without proper sanitization. No specific authentication is required at the point of script execution; the malicious script runs in the context of the authenticated user. This is typically a remote attack, where the payload is sent to the victim's browser through a vulnerable web application. Prerequisites include an application utilizing vulnerable versions of `bootstrap` and allowing untrusted data to populate the `data-template` attribute. The absence of robust input validation and output encoding for content rendered within these UI components significantly increases the risk.

What are the Known Public Exploits?

PoC Author	Link	Commentary
Yumeae	Link	A poc for Bootstrap XSS(CVE-2024-6485、CVE-2016-10735、CVE-2019-8331、CVE-2018-14040)
Snorlyd	Link	Vulnearability Report of the New Jersey official site
Thampakon	Link	ช่องโหว่ CVE-2019-8331

What are the Available Fixes for CVE-2019-8331?

Available Upgrade Options

bootstrap.sass
- <4.3.1 → Upgrade to 4.3.1
bootstrap-sass
- >3.0.0, <3.4.1 → Upgrade to 3.4.1
bootstrap
- >3.0.0, <3.4.1 → Upgrade to 3.4.1
bootstrap
- >4.0.0, <4.3.1 → Upgrade to 4.3.1
Bootstrap.Less
- >3.0.0, <3.4.1 → Upgrade to 3.4.1
twbs/bootstrap
- >3.0.0, <3.4.1 → Upgrade to 3.4.1
twbs/bootstrap
- >4.0.0, <4.3.1 → Upgrade to 4.3.1
org.webjars:bootstrap
- >3.0.0, <3.4.1 → Upgrade to 3.4.1
org.webjars:bootstrap
- >4.0.0, <4.3.1 → Upgrade to 4.3.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-8331?

Similar Vulnerabilities: CVE-2019-16769 , CVE-2020-28498 , CVE-2021-3803 , CVE-2018-12536 , CVE-2017-1000159

CVE-2019-8331 Cross-Site Scripting (XSS) vulnerability in bootstrap