-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-3wqf-4x89-9g79] Bootstrap vulnerable to Cross-Site Scripting (XSS) #3282
[GHSA-3wqf-4x89-9g79] Bootstrap vulnerable to Cross-Site Scripting (XSS) #3282
Conversation
Hi @jenhae, I disagree that version 2.3.0 is vulnerable. The line of code in |
Hi @shelbyc, I couldn't find the affected line either, I'm not sure how bootstrap-affix correlates with bootstrap-collapse. I was talking about the https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js, maybe another vulnerability. However, I could track down the issue to line 34 of bootstrap-collapse using my example, see https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js#L34. |
@jenhae I read at the bottom of https://github.com/twbs/bootstrap/commits/v3.0.0/js/collapse.js that the file was renamed to With respect to https://github.com/twbs/bootstrap/blob/v2.3.0/js/bootstrap-collapse.js#L34, I think you should bring your concerns to the maintainers and ask them if they believe this might be another vulnerability. Their According to this commit, Ultimately, I'm not a JavaScript expert, and the people in the best position to assess whether or not the software has bugs are the maintainers, who are the experts in how Bootstrap works. Thank you for the nice conversation, and I hope I was able to provide some information to help you move forward! |
I think you are right @jenhae! The affected versions should be edited in GHSA-3wqf-4x89-9g79 |
@jenhae I think this one should also be edited. GHSA-7mvr-5x2g-wfc8 |
@1Jesper1 you're right. Feel free to suggest an improvement https://github.com/advisories/GHSA-7mvr-5x2g-wfc8/improve |
Will do soon! |
@jenhae Could you review? https://github.com/github/advisory-database/pull/3297/files I think the affected versions could also be tuned in your improvement. |
@1Jesper1 I've read your input here and #3297 and have read the original bug reports. I have a question about this comment in the thread where you originally reported CVE-2018-14042. The comment is from the person who answered this message on the Debian mailing list. The respondent claims that Bootstrap 2.0.2, 3.2.0, and 3.3.7 aren't affected by CVE-2018-14042. The respondent also claims that What do you think of these findings? |
@shelbyc About twbs/bootstrap#26628 (comment) |
@shelbyc 3.4.0 is not vulnerable. So might be "Vulnerable from Bootstrap 2.3.0 to 3.3.7 and 4.x before 4.1.2" |
"published": "2022-05-13T01:07:54Z", | ||
"aliases": [ | ||
"CVE-2018-14040" | ||
], | ||
"summary": "Bootstrap vulnerable to Cross-Site Scripting (XSS)", | ||
"details": "In Bootstrap 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.", | ||
"details": "From Bootstrap 2.3.0 to 3.4.0 and 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to 3.3.7?
I showed this contribution and #3297 to my teammates and one of them found something interesting! Changing the jQuery version also affects whether the XSS is hit. For example, the response from the Debian mailing list I mentioned earlier has the following links:
When we switch all links to using jQuery 3.3.1, the outcome changes:
Trying this with versions 3.4.0, 3.3.7, 2.3.0, and 2.2.2:
Do either of you find that the version of jQuery used affects the outcome of the test? |
@shelbyc I think jQuery 3.3.2 does not exist.. |
fa409b0
into
jenhae/advisory-improvement-3282
Hi @jenhae! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
@jenhae @1Jesper1 Thank you both for using your time and expertise to help me understand GHSA-3wqf-4x89-9g79 and GHSA-7mvr-5x2g-wfc8! I've updated both advisories and am contacting MITRE at https://cveform.mitre.org/ to request to have the CVE records for CVE-2018-14040 and CVE-2018-14042 updated as well. |
Updates
Comments
I used the demonstration example from twbs/bootstrap#26625 (comment) and proofed, that also version 2.3.0 and above are affected, but 3.4.0 is not, see https://jsbin.com/xixaqeyofi/edit?html,output