In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| bootstrap(npm) | 2.0.4 | 3.4.0 | N/A |
| bootstrap(npm) | 4.0.0-beta | 4.0.0-beta.2 | N/A |
| org.webjars:bootstrap(Maven) | 2.0.4 | 3.4.0 | N/A |
| org.webjars:bootstrap(Maven) | 4.0.0-beta | 4.0.0-beta.2 | N/A |
| bootstrap(RubyGems) | 0 | 4.0.0-beta.2 | N/A |
| twbs/bootstrap(Packagist) | 2.0.4 | 3.4.0 | N/A |
| twbs/bootstrap(Packagist) | 4.0.0-beta | 4.0.0-beta.2 | N/A |
| bootstrap(NuGet) | 2.0.4 | 3.4.0 | N/A |
| bootstrap(NuGet) | 4.0.0-beta | 4.0.0-beta.2 | N/A |
| bootstrap-sass(npm) | 2.0.4 | 3.4.0 | N/A |
| bootstrap-sass(RubyGems) | 2.0.4 | 3.4.0 | N/A |
| bootstrap.sass(NuGet) | 4.0.0-beta | 4.0.0-beta.2 | N/A |
CVSS Metrics
