CVE-2024-6485Cross-site Scripting in Bootstrap-sass

CWE-79Cross-site Scripting9 documents7 sources
Severity
6.4MEDIUMNVD
EPSS
0.1%
top 66.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Debian Twitter-bootstrap3Debian Twitter-bootstrap4Bootstrap-sass+4 more
Timeline
PublishedJul 11
Latest updateJun 5

Description

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:LExploitability: 1.6 | Impact: 4.7

Affected Packages8 packages

debiandebian/twitter-bootstrap3< twitter-bootstrap3 3.4.1+dfsg-3+deb12u1 (bookworm)
debiandebian/twitter-bootstrap4< twitter-bootstrap3 3.4.1+dfsg-3+deb12u1 (bookworm)
CVEListV5bootstrap/bootstrap1.4.03.4.1
npmbootstrap/bootstrap1.4.03.4.1
CVEListV5bootstrap-sass/bootstrap-sass2.3.23.4.3

🔴Vulnerability Details

4
OSV
twitter-bootstrap3, twitter-bootstrap4 vulnerabilities2025-06-05
OSV
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes2024-07-11
GHSA
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes2024-07-11
OSV
CVE-2024-6485: A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks2024-07-11

📋Vendor Advisories

4
Ubuntu
Bootstrap vulnerabilities2025-06-05
Red Hat
bootstrap: Cross-Site Scripting via button plugin on bootstrap2024-07-11
Microsoft
XSS in Bootstrap button component2024-07-09
Debian
CVE-2024-6485: twitter-bootstrap3 - A security vulnerability has been discovered in bootstrap that could enable Cros...2024