CVE-2018-14042
published 2018-07-13CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
PriorityP427medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
4.01%
89.3th percentile
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bootstrap-sass | bootstrap-sass | >= 2.0.4 < 3.4.0 | 3.4.0 |
| bootstrap-sass | bootstrap-sass | >= 2.3.0 < 3.4.0 | 3.4.0 |
| debian | twitter-bootstrap3 | < twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) | twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) |
| getbootstrap | bootstrap | < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | — | — |
| getbootstrap | bootstrap | >= 2.3.0 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 2.3.0 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 2.3.0 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 4.0.0 < 4.1.2 | 4.1.2 |
| getbootstrap | bootstrap | >= 4.0.0 < 4.1.2 | 4.1.2 |
| getbootstrap | bootstrap | >= 4.0.0 < 4.1.2 | 4.1.2 |
| getbootstrap | bootstrap | >= 4.0.0 < 4.1.2 | 4.1.2 |
| msrc | azl3_fontawesome4-fonts_4.7.0-12_on_azure_linux_3.0 | — | — |
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
| twbs | bootstrap | >= 2.3.0 < 3.4.0 | 3.4.0 |
| twbs | bootstrap | >= 4.0.0 < 4.1.2 | 4.1.2 |
| typo3 | cms | >= 8.0.0 < 8.7.23 | 8.7.23 |
| typo3 | cms | >= 9.0.0 < 9.5.4 | 9.5.4 |
| typo3 | cms-core | >= 8.0.0 < 8.7.23 | 8.7.23 |
| typo3 | cms-core | >= 9.0.0 < 9.5.4 | 9.5.4 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_debian6.1LOW
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Bootstrap Cross-site Scripting vulnerability
ghsa·2018-09-13·CVSS 6.1
CVE-2018-14042 [MEDIUM] CWE-79 Bootstrap Cross-site Scripting vulnerability
Bootstrap Cross-site Scripting vulnerability
In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
GHSA
Bootstrap Cross-site Scripting vulnerability
ghsa·2018-09-13·CVSS 6.1
CVE-2018-14041 [MEDIUM] CWE-79 Bootstrap Cross-site Scripting vulnerability
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.
OSV
Bootstrap Cross-site Scripting vulnerability
osv·2018-09-13·CVSS 6.1
CVE-2018-14042 [MEDIUM] Bootstrap Cross-site Scripting vulnerability
Bootstrap Cross-site Scripting vulnerability
In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
OSV
Bootstrap Cross-site Scripting vulnerability
osv·2018-09-13·CVSS 6.1
CVE-2018-14041 [MEDIUM] Bootstrap Cross-site Scripting vulnerability
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.
OSV
CVE-2018-14042: In Bootstrap before 4
osv·2018-07-13·CVSS 6.1
CVE-2018-14042 [MEDIUM] CVE-2018-14042: In Bootstrap before 4
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
CISA ICS
Mitsubishi Electric EcoWebServerIII
cisa_ics·2022-02-24·CVSS 6.1
[MEDIUM] Mitsubishi Electric EcoWebServerIII
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Mitsubishi Electric EcoWebServerIII
Last RevisedFebruary 24, 2022
Alert CodeICSA-22-055-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric Corporation
- Equipment: Energy Saving Data Collecting Server (EcoWebServerIII)
- Vulnerabilities: Improper Neutralization of Input During Web Page Generation, Uncontrolled Resource Consumption, Improperly Controlled Modification of Dynamically-Determined Object Attributes
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow informa
Microsoft
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
vendor_msrc·2018-07-10·CVSS 6.1
CVE-2018-14042 [MEDIUM] CWE-79 In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Red Hat
bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
vendor_redhat·2018-05-29·CVSS 6.1
CVE-2018-14042 [MEDIUM] CWE-79 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Statement: Red Hat Satellite 6.2 and newer versions don't use the bootstrap library, hence are not affected by this flaw.
Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don't use the vulnerable component at all.
Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle:
Debian
CVE-2018-14042: twitter-bootstrap3 - In Bootstrap before 4.1.2, XSS is possible in the data-container property of too...
vendor_debian·2018·CVSS 6.1
CVE-2018-14042 [MEDIUM] CVE-2018-14042: twitter-bootstrap3 - In Bootstrap before 4.1.2, XSS is possible in the data-container property of too...
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Scope: local
bookworm: resolved (fixed in 3.4.0+dfsg-1)
bullseye: resolved (fixed in 3.4.0+dfsg-1)
forky: resolved (fixed in 3.4.0+dfsg-1)
sid: resolved (fixed in 3.4.0+dfsg-1)
trixie: resolved (fixed in 3.4.0+dfsg-1)
No detection rules found.
No public exploits indexed.
HackerOne
Vulnerable javascript dependency at Main domain
hackerone·2021-08-02·CVSS 6.1
CVE-2019-8331 [MEDIUM] Vulnerable javascript dependency at Main domain
Vulnerable javascript dependency at Main domain
Hello,
Issue detail,
Burp observed 1 outdated JavaScript libraries with 4 known vulnerabilities.
Burp detected bootstrap version 4.0.0, which has the following vulnerabilities:
CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover
CVE-2018-14041: XSS in data-target property of scrollspy
CVE-2018-14040: XSS in collapse data-parent attribute
CVE-2018-14042: XSS in data-container property of tooltip
Host: https://sifchain.finance
Path: /wp-content/themes/icos/assets/js/vendor/bootstrap.min.js
{F1293110}
## Impact
Potential XSS
Bugzilla
CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
bugzilla·2018-07-16·CVSS 6.1
CVE-2018-14042 [MEDIUM] CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
A flaw was found in Bootstrap from version 4.0 and before 4.1.2. A Cross-site Scripting (XSS) is possible in the data-container property of tooltip.
References:
https://github.com/twbs/bootstrap/issues/26628
Upstream Patch:
https://github.com/twbs/bootstrap/pull/26630
Discussion:
bootstrap 3.3.7 is affected by this flaw.
---
@Doran Moppert: According to https://github.com/twbs/bootstrap/issues/26628 they explicit state that 3.3.7 is not affected. Any reason why you think it is?
---
In reply to comment #5:
> @Doran Moppert: According to https://github.com/twbs/bootstrap/issues/26628
> they explicit state that 3.3.7 is not affected. Any reason why you think it
> is?
Sorry, I should have
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.htmlhttp://seclists.org/fulldisclosure/2019/May/10http://seclists.org/fulldisclosure/2019/May/11http://seclists.org/fulldisclosure/2019/May/13https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/https://github.com/twbs/bootstrap/issues/26423https://github.com/twbs/bootstrap/issues/26628https://github.com/twbs/bootstrap/pull/26630https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3Ehttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3Ehttps://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3Ehttps://seclists.org/bugtraq/2019/May/18https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.tenable.com/security/tns-2021-14http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.htmlhttp://seclists.org/fulldisclosure/2019/May/10http://seclists.org/fulldisclosure/2019/May/11http://seclists.org/fulldisclosure/2019/May/13https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/https://github.com/twbs/bootstrap/issues/26423https://github.com/twbs/bootstrap/issues/26628https://github.com/twbs/bootstrap/pull/26630https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3Ehttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3Ehttps://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3Ehttps://seclists.org/bugtraq/2019/May/18https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.tenable.com/security/tns-2021-14
2018-07-13
Published