CVE-2024-6531 - A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks

[hashaghate]

Hi All,

In our ASP.NET application, we are using Bootstrap version 5.3.1
But NexusScan flagged out vulnerability CVE-2024-6531 and recommendation is given as
"There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control."

Please share your thoughs and suggestions on how to fix this.

[julien-deramond]

Hi @hashaghate
CVE-2024-6531, where the details are at https://www.herodevs.com/vulnerability-directory/cve-2024-6531, affects Bootstrap >=4.0.0 <=4.6.2.
You're using Bootstrap version 5.3.1, so you're not concerned by this CVE.

[julien-deramond]

At first, on SNYK, it was flagged out as Bootstrap * (all versions), but this was a mistake. IDK if that's the case for NexusScan. TBH, I don't know exactly how it works. But I'm sure that the recent CVEs published in July (except if their content changes at some point), don't affect Bootstrap 5. The corresponding versions can be found each time in the Hero Devs links.

[hashaghate]

@julien-deramond Thanks for your reply. That’s very useful information.
Could you please share link where it’s mentioned that it was a mistake when it was flagged out for Bootstrap versions for reference purpose.

[julien-deramond]

It was there: https://security.snyk.io/package/npm/bootstrap. But not visible anymore as the right affected versions are now mentioned

[biomedia-thomas]

But I'm sure that the recent CVEs published in July (except if their content change at some point), don't affect Bootstrap 5. The corresponding versions can be found each time in the Hero Devs links.

Could you maybe explain why version 5 isn't affected? CVE-2024-6531 and CVE-2024-6484 are pretty much the same issue but it doesn't seem very different in 5. If I modify the proof of concept to bootstrap 5.3.3 and update some classnames with -bs- it still shows the 'XSS' alert:
https://codepen.io/bmthomas/pen/YzoQBdM

I'm having a hard time viewing these CVE's as XSS, the actual issue seems to be "preventDefault not called on links with data-(bs-)slide with malformed href attributes". Calling this XSS by assuming the href attribute has already been compromised seems a bit far fetched and would be an issue even without bootstrap. Bootstrap doesn't actually evaluate the href, it's just not preventing you from click-activating it. But maybe I'm missing something crucial since there are no public patches for this issue.

[julien-deramond]

Our security team is evaluating the impact on v5 based on the recent CVEs. For now, v5 is considered as not impacted.