CVE-2018-20677

MEDIUM

Bootstrap < 3.4.0 - Cross-Site Scripting via Affix Configuration Target Property

Title source: llm
STIX 2.1

Description

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

References (14)

Core 14
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1456
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/twbs/bootstrap/issues/27045
Release Notes, Vendor Advisory x_refsource_misc
https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
Patch, Third Party Advisory x_refsource_misc
https://github.com/twbs/bootstrap/pull/27047
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:1076
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:1570
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3023
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0132
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0133

Scores

CVSS v3 6.1
EPSS 0.0980
EPSS Percentile 93.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (8)
getbootstrap/bootstrap < 3.4.0
npm/bootstrap 0 - 3.4.0npm
npm/bootstrap-sass 0 - 3.4.0npm
nuget/bootstrap 0 - 3.4.0NuGet
org.webjars/bootstrap 0 - 3.4.0Maven
rubygems/bootstrap 0 - 3.4.0RubyGems
rubygems/bootstrap-sass 0 - 3.4.0RubyGems
twbs/bootstrap 0 - 3.4.0Packagist
Published Jan 09, 2019
Tracked Since Feb 18, 2026