CVE-2024-6485: Cross-Site Scripting (XSS) in Bootstrap 3 Button Plugin
Vulnerability ID: CVE-2024-6485
CVSS Score: 6.4
Published: 2024-07-11
A cross-site scripting (XSS) vulnerability exists in the Bootstrap 3.x Button plugin. The flaw occurs due to improper sanitization of the data-loading-text attribute, allowing arbitrary JavaScript execution when the button's loading state is triggered via the JavaScript API.
TL;DR
Bootstrap 3.x fails to sanitize the data-loading-text attribute in its Button plugin. Injecting malicious HTML into this attribute leads to arbitrary JavaScript execution when the loading state is programmatically triggered.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Cross-Site Scripting (XSS)
- CWE ID: CWE-79
- CVSS v3.1 Base Score: 6.4
- Attack Vector: Network
- Attack Complexity: High
- EPSS Score: 0.00135
- Exploit Status: Proof of Concept
- CISA KEV: No
Affected Systems
- Bootstrap 1.4.0 <= 3.4.1
- bootstrap-sass 2.3.2 <= 3.4.3
- Bootstrap: 1.4.0 <= 3.4.1
- bootstrap-sass: 2.3.2 <= 3.4.3
Mitigation Strategies
- Upgrade to Bootstrap version 4.x or 5.x where the vulnerable feature is removed.
- Utilize commercial extended support (e.g., HeroDevs NES) for backpatched 3.x versions.
- Manually patch
js/button.jsto use jQuery.text()method instead of.html(). - Implement strict server-side or client-side HTML sanitization (DOMPurify) before rendering user data into data attributes.
Remediation Steps:
- Identify all deployments of Bootstrap 3.x in the application infrastructure.
- Audit application source code for server-side reflection of user input into the
data-loading-textattribute. - If upgrading is not feasible, locate
js/button.jsin the source repository. - Modify the line
var val = $el.is('input') ? 'val' : 'html'tovar val = $el.is('input') ? 'val' : 'text'. - Recompile or minify the JavaScript assets and deploy to production.
- Implement a WAF rule to monitor for HTML tags embedded within parameters destined for button attributes.
References
- HeroDevs Vulnerability Directory - CVE-2024-6485
- NVD Record - CVE-2024-6485
- Debian LTS Announce (DLA-3810-1)
- GitHub Advisory - GHSA-vxmc-5x29-h64v
- Bootstrap 3.4.1 Source Code - js/button.js
Read the full report for CVE-2024-6485 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)