CVE-2019-8331

EUVD-2019-0272
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
Affected Products (NVD)
VendorProductVersion
getbootstrapbootstrap
𝑥
< 3.4.1
getbootstrapbootstrap
4.3.0 ≤
𝑥
< 4.3.1
f5big-ip_access_policy_manager
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_access_policy_manager
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_access_policy_manager
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_access_policy_manager
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_advanced_firewall_manager
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_advanced_firewall_manager
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_advanced_firewall_manager
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_advanced_firewall_manager
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_analytics
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_analytics
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_analytics
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_analytics
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_application_acceleration_manager
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_application_acceleration_manager
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_application_acceleration_manager
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_application_acceleration_manager
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_application_security_manager
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_application_security_manager
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_application_security_manager
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_application_security_manager
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_domain_name_system
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_domain_name_system
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_domain_name_system
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_domain_name_system
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_edge_gateway
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_edge_gateway
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_edge_gateway
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_edge_gateway
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_fraud_protection_service
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_fraud_protection_service
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_fraud_protection_service
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_fraud_protection_service
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_global_traffic_manager
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_global_traffic_manager
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_global_traffic_manager
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_global_traffic_manager
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_link_controller
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_link_controller
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_link_controller
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_link_controller
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_local_traffic_manager
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_local_traffic_manager
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_local_traffic_manager
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_local_traffic_manager
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_policy_enforcement_manager
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_policy_enforcement_manager
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_policy_enforcement_manager
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_policy_enforcement_manager
15.0.0 ≤
𝑥
< 15.1.0
f5big-ip_webaccelerator
12.1.0 ≤
𝑥
< 12.1.5.1
f5big-ip_webaccelerator
13.0.0 ≤
𝑥
< 13.1.3.4
f5big-ip_webaccelerator
14.0.0 ≤
𝑥
< 14.1.2.5
f5big-ip_webaccelerator
15.0.0 ≤
𝑥
< 15.1.0
redhatvirtualization_manager
4.3
tenabletenable.sc
𝑥
< 5.19.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
twitter-bootstrap3
bookworm
3.4.1+dfsg-3
fixed
bullseye
3.4.1+dfsg-2
fixed
jessie
no-dsa
sid
3.4.1+dfsg-3
fixed
stretch
no-dsa
trixie
3.4.1+dfsg-3
fixed
twitter-bootstrap4
bookworm
4.6.1+dfsg1-4
fixed
bullseye
4.5.2+dfsg1-8~deb11u1
fixed
jessie
no-dsa
sid
4.6.1+dfsg1-4
fixed
stretch
no-dsa
trixie
4.6.1+dfsg1-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
twitter-bootstrap
bionic
needs-triage
cosmic
ignored
disco
ignored
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needs-triage
twitter-bootstrap3
bionic
needed
cosmic
ignored
disco
ignored
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needed
twitter-bootstrap4
bionic
dne
cosmic
dne
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.securityfocus.com/bid/107375
https://access.redhat.com/errata/RHSA-2019:1456
https://access.redhat.com/errata/RHSA-2019:3023
https://access.redhat.com/errata/RHSA-2019:3024
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
https://github.com/twbs/bootstrap/pull/28236
https://github.com/twbs/bootstrap/releases/tag/v3.4.1
https://github.com/twbs/bootstrap/releases/tag/v4.3.1
https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3E
https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3E
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
https://seclists.org/bugtraq/2019/May/18
https://support.f5.com/csp/article/K24383845
https://support.f5.com/csp/article/K24383845?utm_source=f5support&amp%3Butm_medium=RSS
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.tenable.com/security/tns-2021-14
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.securityfocus.com/bid/107375
https://access.redhat.com/errata/RHSA-2019:1456
https://access.redhat.com/errata/RHSA-2019:3023
https://access.redhat.com/errata/RHSA-2019:3024
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
https://github.com/twbs/bootstrap/pull/28236
https://github.com/twbs/bootstrap/releases/tag/v3.4.1
https://github.com/twbs/bootstrap/releases/tag/v4.3.1
https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e%40%3Cdev.superset.apache.org%3E
https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714%40%3Cissues.hbase.apache.org%3E
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
https://seclists.org/bugtraq/2019/May/18
https://support.f5.com/csp/article/K24383845
https://support.f5.com/csp/article/K24383845?utm_source=f5support&amp%3Butm_medium=RSS
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.tenable.com/security/tns-2021-14