CVE-2018-20676
published 2019-01-09CVE-2018-20676: In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
PriorityP428medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
3.84%
88.8th percentile
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bootstrap-sass | bootstrap-sass | >= 0 < 3.4.0 | 3.4.0 |
| bootstrap-sass | bootstrap-sass | >= 0 < 3.4.0 | 3.4.0 |
| debian | twitter-bootstrap3 | < twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) | twitter-bootstrap3 3.4.0+dfsg-1 (bookworm) |
| getbootstrap | bootstrap | < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 0 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 0 < 3.4.0 | 3.4.0 |
| getbootstrap | bootstrap | >= 0 < 3.4.0 | 3.4.0 |
| twbs | bootstrap | >= 0 < 3.4.0 | 3.4.0 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XSS vulnerability that affects bootstrap
osv·2019-01-17
CVE-2018-20676 [MEDIUM] XSS vulnerability that affects bootstrap
XSS vulnerability that affects bootstrap
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
GHSA
XSS vulnerability that affects bootstrap
ghsa·2019-01-17
CVE-2018-20676 [MEDIUM] CWE-79 XSS vulnerability that affects bootstrap
XSS vulnerability that affects bootstrap
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
OSV
CVE-2018-20676: In Bootstrap before 3
osv·2019-01-09·CVSS 6.1
CVE-2018-20676 [MEDIUM] CVE-2018-20676: In Bootstrap before 3
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
CISA ICS
Mitsubishi Electric EcoWebServerIII
cisa_ics·2022-02-24·CVSS 6.1
[MEDIUM] Mitsubishi Electric EcoWebServerIII
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Mitsubishi Electric EcoWebServerIII
Last RevisedFebruary 24, 2022
Alert CodeICSA-22-055-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric Corporation
- Equipment: Energy Saving Data Collecting Server (EcoWebServerIII)
- Vulnerabilities: Improper Neutralization of Input During Web Page Generation, Uncontrolled Resource Consumption, Improperly Controlled Modification of Dynamically-Determined Object Attributes
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow informa
Red Hat
bootstrap: XSS in the tooltip data-viewport attribute
vendor_redhat·2018-08-10·CVSS 6.1
CVE-2018-20676 [MEDIUM] CWE-79 bootstrap: XSS in the tooltip data-viewport attribute
bootstrap: XSS in the tooltip data-viewport attribute
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hosting Web site, which can lead to stealing the victim's cookie-based authentication credentials.
Statement: Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all.
Red Hat
Debian
CVE-2018-20676: twitter-bootstrap3 - In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribut...
vendor_debian·2018·CVSS 6.1
CVE-2018-20676 [MEDIUM] CVE-2018-20676: twitter-bootstrap3 - In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribut...
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Scope: local
bookworm: resolved (fixed in 3.4.0+dfsg-1)
bullseye: resolved (fixed in 3.4.0+dfsg-1)
forky: resolved (fixed in 3.4.0+dfsg-1)
sid: resolved (fixed in 3.4.0+dfsg-1)
trixie: resolved (fixed in 3.4.0+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [openstack-rdo]
bugzilla·2019-01-21·CVSS 6.1
CVE-2018-20676 [MEDIUM] CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [openstack-rdo]
CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion
Bugzilla
CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [fedora-all]
bugzilla·2019-01-21·CVSS 6.1
CVE-2018-20676 [MEDIUM] CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [fedora-all]
CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2018-20676 rubygem-bootstrap-sass: bootstrap: XSS in the tooltip data-viewport attribute [fedora-all]
bugzilla·2019-01-21·CVSS 6.1
CVE-2018-20676 [MEDIUM] CVE-2018-20676 rubygem-bootstrap-sass: bootstrap: XSS in the tooltip data-viewport attribute [fedora-all]
CVE-2018-20676 rubygem-bootstrap-sass: bootstrap: XSS in the tooltip data-viewport attribute [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [epel-7]
bugzilla·2019-01-21·CVSS 6.1
CVE-2018-20676 [MEDIUM] CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [epel-7]
CVE-2018-20676 python-XStatic-Bootstrap-SCSS: bootstrap: XSS in the tooltip data-viewport attribute [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the foll
Bugzilla
CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
bugzilla·2019-01-21·CVSS 6.1
CVE-2018-20676 [MEDIUM] CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
A flaw was found in Bootstrap before 3.4.0. XSS is possible in the tooltip data-viewport attribute.
References:
https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
https://github.com/twbs/bootstrap/issues/27044
https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628
Upstream Patch:
https://github.com/twbs/bootstrap/pull/27047
Discussion:
Created python-XStatic-Bootstrap-SCSS tracking bugs for this issue:
Affects: epel-7 [bug 1668083]
Affects: fedora-all [bug 1668084]
Affects: openstack-rdo [bug 1668086]
Created rubygem-bootstrap-sass tracking bugs for this issue:
Affects: fedora-all [bug 1668085]
---
This issue has been a
https://access.redhat.com/errata/RHBA-2019:1076https://access.redhat.com/errata/RHBA-2019:1570https://access.redhat.com/errata/RHSA-2019:1456https://access.redhat.com/errata/RHSA-2019:3023https://access.redhat.com/errata/RHSA-2020:0132https://access.redhat.com/errata/RHSA-2020:0133https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/https://github.com/twbs/bootstrap/issues/27044https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628https://github.com/twbs/bootstrap/pull/27047https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3Ehttps://www.tenable.com/security/tns-2021-14https://access.redhat.com/errata/RHBA-2019:1076https://access.redhat.com/errata/RHBA-2019:1570https://access.redhat.com/errata/RHSA-2019:1456https://access.redhat.com/errata/RHSA-2019:3023https://access.redhat.com/errata/RHSA-2020:0132https://access.redhat.com/errata/RHSA-2020:0133https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/https://github.com/twbs/bootstrap/issues/27044https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628https://github.com/twbs/bootstrap/pull/27047https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3Ehttps://www.tenable.com/security/tns-2021-14
2019-01-09
Published