CVE-2016-10735
published 2019-01-09CVE-2016-10735: In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
PriorityP428medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
4.04%
89.3th percentile
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bootstrap-sass | bootstrap-sass | >= 2.0.4 < 3.4.0 | 3.4.0 |
| bootstrap-sass | bootstrap-sass | >= 2.0.4 < 3.4.0 | 3.4.0 |
| debian | twitter-bootstrap3 | < twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) | twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) |
| debian | twitter-bootstrap4 | < twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) | twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) |
| getbootstrap | bootstrap | — | — |
| getbootstrap | bootstrap | >= 0 < 4.0.0-beta.2 | 4.0.0-beta.2 |
| getbootstrap | bootstrap | >= 2.0.4 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 2.0.4 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 3.0.0 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 4.0.0-beta < 4.0.0-beta.2 | 4.0.0-beta.2 |
| getbootstrap | bootstrap | >= 4.0.0-beta < 4.0.0-beta.2 | 4.0.0-beta.2 |
| twbs | bootstrap | >= 2.0.4 < 3.4.0 | 3.4.0 |
| twbs | bootstrap | >= 4.0.0-beta < 4.0.0-beta.2 | 4.0.0-beta.2 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Bootstrap Cross-site Scripting vulnerability
ghsa·2019-01-17·CVSS 6.1
CVE-2016-10735 [MEDIUM] CWE-79 Bootstrap Cross-site Scripting vulnerability
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.
See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.
OSV
Bootstrap Cross-site Scripting vulnerability
osv·2019-01-17·CVSS 6.1
CVE-2016-10735 [MEDIUM] Bootstrap Cross-site Scripting vulnerability
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.
See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.
OSV
CVE-2016-10735: In Bootstrap 3
osv·2019-01-09·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735: In Bootstrap 3
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CISA ICS
Mitsubishi Electric EcoWebServerIII
cisa_ics·2022-02-24·CVSS 6.1
[MEDIUM] Mitsubishi Electric EcoWebServerIII
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Mitsubishi Electric EcoWebServerIII
Last RevisedFebruary 24, 2022
Alert CodeICSA-22-055-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric Corporation
- Equipment: Energy Saving Data Collecting Server (EcoWebServerIII)
- Vulnerabilities: Improper Neutralization of Input During Web Page Generation, Uncontrolled Resource Consumption, Improperly Controlled Modification of Dynamically-Determined Object Attributes
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow informa
Red Hat
bootstrap: XSS in the data-target attribute
vendor_redhat·2016-06-27·CVSS 6.1
CVE-2016-10735 [MEDIUM] CWE-79 bootstrap: XSS in the data-target attribute
bootstrap: XSS in the data-target attribute
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Statement: Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.
Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.
Package: pki-core (Red Hat Enterprise Linux 7) - Will not fix
Packa
Debian
CVE-2016-10735: twitter-bootstrap3 - In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible ...
vendor_debian·2016·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735: twitter-bootstrap3 - In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible ...
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Scope: local
bookworm: resolved (fixed in 3.4.0+dfsg-1)
bullseye: resolved (fixed in 3.4.0+dfsg-1)
forky: resolved (fixed in 3.4.0+dfsg-1)
sid: resolved (fixed in 3.4.0+dfsg-1)
trixie: resolved (fixed in 3.4.0+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [epel-7]
bugzilla·2019-01-29·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [epel-7]
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following temp
Bugzilla
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [openstack-rdo]
bugzilla·2019-01-29·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [openstack-rdo]
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Sorry, c
Bugzilla
CVE-2016-10735 rubygem-bootstrap-sass: bootstrap: XSS in the data-target attribute [fedora-all]
bugzilla·2019-01-29·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735 rubygem-bootstrap-sass: bootstrap: XSS in the data-target attribute [fedora-all]
CVE-2016-10735 rubygem-bootstrap-sass: bootstrap: XSS in the data-target attribute [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [fedora-all]
bugzilla·2019-01-29·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [fedora-all]
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mu
Bugzilla
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [epel-7]
bugzilla·2019-01-21·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [epel-7]
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following temp
Bugzilla
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [fedora-all]
bugzilla·2019-01-21·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [fedora-all]
CVE-2016-10735 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the data-target attribute [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mu
Bugzilla
CVE-2016-10735 bootstrap: XSS in the data-target attribute
bugzilla·2019-01-21·CVSS 6.1
CVE-2016-10735 [MEDIUM] CVE-2016-10735 bootstrap: XSS in the data-target attribute
CVE-2016-10735 bootstrap: XSS in the data-target attribute
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
References:
https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
https://github.com/twbs/bootstrap/issues/20184
https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
Upstream Patch:
https://github.com/twbs/bootstrap/pull/23679
https://github.com/twbs/bootstrap/pull/23687
https://github.com/twbs/bootstrap/pull/26460
Discussion:
RHOSP ships two versions of bootstrap, both of which are affected. Marking as such and filing trackers.
OpenStack -> Bootstrap
8,9,10 -> 3.2.0.0-1
13,14 -> 3.3.7.1-2
---
Created python-XStatic-Bootstrap-SCSS tracking bugs for
https://access.redhat.com/errata/RHBA-2019:1076https://access.redhat.com/errata/RHBA-2019:1570https://access.redhat.com/errata/RHSA-2019:1456https://access.redhat.com/errata/RHSA-2019:3023https://access.redhat.com/errata/RHSA-2020:0132https://access.redhat.com/errata/RHSA-2020:0133https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/https://github.com/twbs/bootstrap/issues/20184https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906https://github.com/twbs/bootstrap/pull/23679https://github.com/twbs/bootstrap/pull/23687https://github.com/twbs/bootstrap/pull/26460https://www.tenable.com/security/tns-2021-14https://access.redhat.com/errata/RHBA-2019:1076https://access.redhat.com/errata/RHBA-2019:1570https://access.redhat.com/errata/RHSA-2019:1456https://access.redhat.com/errata/RHSA-2019:3023https://access.redhat.com/errata/RHSA-2020:0132https://access.redhat.com/errata/RHSA-2020:0133https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/https://github.com/twbs/bootstrap/issues/20184https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906https://github.com/twbs/bootstrap/pull/23679https://github.com/twbs/bootstrap/pull/23687https://github.com/twbs/bootstrap/pull/26460https://www.tenable.com/security/tns-2021-14
2019-01-09
Published