CVE-2019-8331

MEDIUM

Bootstrap < 3.4.1 and 4.3.x < 4.3.1 - Cross-Site Scripting via Tooltip or Popover Data-Template Attribute

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-8331. PoCs published by Yumeae, Thampakon, Snorlyd.

AI-analyzed exploit summary This repository contains a static HTML file demonstrating multiple Bootstrap XSS vulnerabilities, including CVE-2019-8331, which exploits the Tooltip component's `data-template` attribute. It is designed for educational purposes and requires manual version switching to test different vulnerabilities.

Description

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Exploits (3)

nomisec WORKING POC 3 stars

by Yumeae · poc

https://github.com/Yumeae/Bootstrap-with-XSS

View Code ZIP pw:eip

This repository contains a static HTML file demonstrating multiple Bootstrap XSS vulnerabilities, including CVE-2019-8331, which exploits the Tooltip component's `data-template` attribute. It is designed for educational purposes and requires manual version switching to test different vulnerabilities.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Bootstrap v4.x < v4.3.1 and v3.x < v3.4.1

No auth needed

Prerequisites: A browser to open the HTML file · Manual editing of the HTML file to switch Bootstrap versions

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by Thampakon · poc

https://github.com/Thampakon/CVE-2019-8331

View Code ZIP pw:eip

The repository provides a description and examples of CVE-2019-8331, an XSS vulnerability in Bootstrap due to improper sanitization of data-template attributes in tooltip/popover elements. It includes PoC snippets demonstrating the exploit but lacks executable code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Bootstrap < 4.3.1, < 5.0.0-beta2

No auth needed

Prerequisites: Victim interaction required to trigger tooltip/popover

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by Snorlyd · poc

https://github.com/Snorlyd/https-nj.gov---CVE-2019-8331

View Code ZIP pw:eip

This repository contains a writeup detailing CVE-2019-8331, an XSS vulnerability in Bootstrap versions prior to 3.4.1 and 4.3.1. The vulnerability arises from unsanitized input in the data-template, data-content, and data-title properties of tooltip/popover components.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Bootstrap (versions < 3.4.1 and < 4.3.1)

No auth needed

Prerequisites: A target application using vulnerable Bootstrap versions with tooltip/popover components

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (27)

Core 27

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/107375

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/May/18

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/May/11

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/May/10

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/May/13

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1456