CVE-2024-6485

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
HeroDevsCNA
6.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
VendorProductVersion
getbootstrapbootstrap
3.4.1 ≤
𝑥
≤ 3.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
twitter-bootstrap3
bullseye
vulnerable
bullseye (security)
3.4.1+dfsg-2+deb11u1
fixed
bookworm
3.4.1+dfsg-3+deb12u1
fixed
sid
3.4.1+dfsg-4
fixed
trixie
3.4.1+dfsg-4
fixed
twitter-bootstrap4
bullseye
4.5.2+dfsg1-8~deb11u1
fixed
bullseye (security)
4.5.2+dfsg1-8~deb11u2
fixed
bookworm
4.6.1+dfsg1-4+deb12u1
fixed
sid
4.6.2+dfsg-1
fixed
trixie
4.6.2+dfsg-1
fixed
Common Weakness Enumeration
References
https://www.herodevs.com/vulnerability-directory/cve-2024-6485
https://www.herodevs.com/vulnerability-directory/cve-2024-6485