CVE-2024-6485

MEDIUM

Bootstrap - XSS

Title source: llm

Description

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

Exploits (1)

nomisec WORKING POC 3 stars

by Yumeae · poc

https://github.com/Yumeae/Bootstrap-with-XSS

View Code ZIP pw:eip

References (2)

[Various Sources] https://www.herodevs.com/vulnerability-directory/cve-2024-6485

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/04/msg00020.html

Scores

CVSS v3 6.4

EPSS 0.0014

EPSS Percentile 33.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

Details

CWE

CWE-79

Status published

Products (3)

Bootstrap/Bootstrap 1.4.0 - 3.4.1

Bootstrap-sass/bootstrap-sass 2.3.2 - 3.4.3

npm/bootstrap 1.4.0npm

Published Jul 11, 2024

Tracked Since Feb 18, 2026