CVE-2024-6484
Cross-Site Scripting (XSS) vulnerability in bootstrap (npm)
What is CVE-2024-6484 About?
This vulnerability (now withdrawn, deemed not a Bootstrap issue) was an XSS flaw in Bootstrap's carousel component due to improper sanitization of `data-slide` and `data-slide-to` attributes within an `<a>` tag's `href`. Exploitation could allow arbitrary JavaScript execution in a victim's browser, posing a significant risk if the fix wasn't addressed by the application developer.
Affected Software
- bootstrap
- >2.0.0, <=3.4.1
- >2.0.0, <=3.4.1
- >2.0.0, <=3.4.1
- bootstrap-sass
- >2.0.0, <=3.4.1
- >2.0.0, <=3.4.3
- bootstrap.sass
- >2.0.0, <=3.4.1
- twbs/bootstrap
- >2.0.0, <=3.4.1
- org.webjars:bootstrap
- >2.0.0, <=3.4.1
- org.webjars.npm:bootstrap
- >2.0.0, <=3.4.1
Technical Details
The vulnerability, originally identified in Bootstrap's carousel component, stemmed from insufficient sanitization of the data-slide and data-slide-to attributes when they were used in conjunction with the href attribute of an <a> tag. An attacker could craft a malicious href value that, when processed by the carousel's JavaScript, would lead to the execution of arbitrary JavaScript code. This bypasses client-side input validation and encoding mechanisms, allowing the injected script to run within the user's browser in the context of the vulnerable application, thereby facilitating Cross-Site Scripting (XSS) attacks.
What is the Impact of CVE-2024-6484?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, data theft, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2024-6484?
Exploitation of this XSS vulnerability would likely be of medium complexity, requiring an attacker to inject specially crafted HTML into a context that would be processed by Bootstrap's carousel component. Prerequisites might include the ability to control or influence content displayed in a Bootstrap carousel. Authentication requirements would depend on whether the injected content could be provided by an unauthenticated user or if it required an authenticated session. No elevated privileges are necessary, as XSS typically targets the client-side browser session. This is a remote attack, and factors increasing its likelihood include applications accepting unfiltered user-generated content or utilizing vulnerable versions of Bootstrap without proper output encoding.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-6484?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.herodevs.com/vulnerability-directory/cve-2024-6484
- https://www.herodevs.com/vulnerability-directory/cve-2024-6484
- https://nvd.nist.gov/vuln/detail/CVE-2024-6484
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2024-6484.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2024-6484.yml
- https://osv.dev/vulnerability/GHSA-9mvj-f7w8-pvh2
- https://github.com/twbs/bootstrap
What are Similar Vulnerabilities to CVE-2024-6484?
Similar Vulnerabilities: CVE-2023-35631 , CVE-2023-45803 , CVE-2022-29007 , CVE-2022-44675 , CVE-2022-25916
