CVE-2023-46998

MEDIUM

BootBox Bootbox.js 3.2-6.0 - Cross-Site Scripting via alert(), confirm(), prompt() Functions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-46998. PoCs published by soy-oreocato.

AI-analyzed exploit summary The repository describes a Cross-Site Scripting (XSS) vulnerability in Bootbox.js versions 3.2 through 6.0, where functions like alert(), confirm(), and prompt() fail to sanitize user input, allowing arbitrary JavaScript execution. The PoC demonstrates the vulnerability by injecting a script tag into a dialog box.

Description

Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.

Exploits (1)

nomisec WRITEUP 1 stars
by soy-oreocato · poc
https://github.com/soy-oreocato/CVE-2023-46998

The repository describes a Cross-Site Scripting (XSS) vulnerability in Bootbox.js versions 3.2 through 6.0, where functions like alert(), confirm(), and prompt() fail to sanitize user input, allowing arbitrary JavaScript execution. The PoC demonstrates the vulnerability by injecting a script tag into a dialog box.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Bootbox.js v3.2 to v6.0
No auth needed
Prerequisites: A web application using vulnerable versions of Bootbox.js · User interaction to trigger the vulnerable function
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.3892
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
bootboxjs/bootbox 3.2.0 - 6.0.0
npm/bootbox 3.2.0npm
Published Nov 07, 2023
Tracked Since Feb 18, 2026