Vulnerability Database
Blog
FAQ
Docs
GHSA-ph58-4vrj-w6hr
Suggest an improvement
Source
https://github.com/advisories/GHSA-ph58-4vrj-w6hr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-ph58-4vrj-w6hr/GHSA-ph58-4vrj-w6hr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-ph58-4vrj-w6hr
Aliases
CVE-2018-20677
Published
2019-01-17T13:57:56Z
Modified
2024-08-05T17:24:11.911420Z
Severity
6.1 (Medium)
CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Calculator
Summary
bootstrap Cross-site Scripting vulnerability
Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-20677
https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628
https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
https://github.com/twbs/bootstrap/issues/27045
https://github.com/twbs/bootstrap/pull/27047
https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E
https://github.com/twbs/bootstrap
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2018-20677.yml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2018-20677.yml
https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0
https://access.redhat.com/errata/RHSA-2020:0133
https://access.redhat.com/errata/RHSA-2020:0132
https://access.redhat.com/errata/RHSA-2019:3023
https://access.redhat.com/errata/RHSA-2019:1456
https://access.redhat.com/errata/RHBA-2019:1570
https://access.redhat.com/errata/RHBA-2019:1076
Affected packages
npm
/
bootstrap
Package
Name
bootstrap
View open source insights on deps.dev
Purl
pkg:npm/bootstrap
Affected ranges
Type
SEMVER
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
3.4.0
npm
/
bootstrap-sass
Package
Name
bootstrap-sass
View open source insights on deps.dev
Purl
pkg:npm/bootstrap-sass
Affected ranges
Type
SEMVER
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
3.4.0
Packagist
/
twbs/bootstrap
Package
Name
twbs/bootstrap
Purl
pkg:composer/twbs/bootstrap
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
3.4.0
Affected versions
v2.*
v2.2.2
v2.3.0
v2.3.1
v2.3.2
v3.*
v3.0.0-rc1
v3.0.0-rc.2
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.2.0
v3.3.0
v3.3.1
v3.3.2
v3.3.4
v3.3.5
v3.3.6
v3.3.7
Maven
/
org.webjars:bootstrap
Package
Name
org.webjars:bootstrap
View open source insights on deps.dev
Purl
pkg:maven/org.webjars/bootstrap
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
3.4.0
Affected versions
1.*
1.3.0
2.*
2.0.2
2.1.1
2.2.1
2.2.2
2.2.2-1
2.3.0
2.3.1
2.3.1-1
2.3.2
3.*
3.0.0-rc1
3.0.0-rc.2
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.1-1
3.1.1-2
3.2.0
3.2.0-1
3.2.0-2
3.3.0
3.3.1
3.3.2
3.3.2-1
3.3.2-2
3.3.4
3.3.5
3.3.6
3.3.7
3.3.7-1
RubyGems
/
bootstrap
Package
Name
bootstrap
Purl
pkg:gem/bootstrap
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
3.4.0
RubyGems
/
bootstrap-sass
Package
Name
bootstrap-sass
Purl
pkg:gem/bootstrap-sass
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
3.4.0
Affected versions
1.*
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.3.1
2.0.4.0
2.0.4.1
2.0.4.2
2.1.0.0
2.1.0.1
2.1.1.0
2.2.1.0
2.2.1.1
2.2.2.0
2.3.0.0
2.3.0.1
2.3.1.0
2.3.1.2
2.3.1.3
2.3.2.0
2.3.2.1
2.3.2.2
3.*
3.0.0.0.rc
3.0.0.0.rc2
3.0.0.0
3.0.1.0.rc
3.0.1.0
3.0.2.0
3.0.2.1
3.0.3.0
3.1.0.0
3.1.0.1
3.1.0.2
3.1.1.0
3.1.1.1
3.2.0.4
3.3.0.0
3.3.0.1
3.3.1.0
3.3.2.0
3.3.2.1
3.3.3
3.3.4.1
3.3.5
3.3.5.1
3.3.6
3.3.7
NuGet
/
bootstrap
Package
Name
bootstrap
View open source insights on deps.dev
Purl
pkg:nuget/bootstrap
Affected ranges
Type
ECOSYSTEM
Events
Introduced
0
Unknown introduced version / All previous versions are affected
Fixed
3.4.0
Affected versions
1.*
1.0.0
2.*
2.3.1
2.3.2
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.2.0
3.3.0
3.3.1
3.3.2
3.3.4
3.3.5
3.3.6-jQuery3
3.3.6
3.3.6.1
3.3.7
GHSA-ph58-4vrj-w6hr - OSV