CVE-2024-6485

EUVD-2024-2429
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
getbootstrapbootstrap
2.0.0 ≤
𝑥
≤ 3.4.1
ADP
Debian logo
Debian Releases
Debian Product
Codename
twitter-bootstrap3
bookworm
3.4.1+dfsg-3+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
3.4.1+dfsg-2+deb11u2
fixed
forky
3.4.1+dfsg-6
fixed
sid
3.4.1+dfsg-6
fixed
trixie
3.4.1+dfsg-6
fixed
twitter-bootstrap4
bookworm
4.6.1+dfsg1-4+deb12u1
fixed
bullseye
4.5.2+dfsg1-8~deb11u1
fixed
bullseye (security)
4.5.2+dfsg1-8~deb11u2
fixed
forky
4.6.2+dfsg-1
fixed
sid
4.6.2+dfsg-1
fixed
trixie
4.6.2+dfsg-1
fixed
Common Weakness Enumeration
References
https://www.herodevs.com/vulnerability-directory/cve-2024-6485
https://lists.debian.org/debian-lts-announce/2025/04/msg00020.html
https://www.herodevs.com/vulnerability-directory/cve-2024-6485