In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| bootstrap(npm) | 4.0.0 | 4.1.2 | N/A |
| typo3/cms-core(Packagist) | 8.0.0 | 8.7.23 | N/A |
| typo3/cms-core(Packagist) | 9.0.0 | 9.5.4 | N/A |
| typo3/cms(Packagist) | 8.0.0 | 8.7.23 | N/A |
| typo3/cms(Packagist) | 9.0.0 | 9.5.4 | N/A |
| bootstrap(RubyGems) | 4.0.0 | 4.1.2 | N/A |
| twbs/bootstrap(Packagist) | 4.0.0 | 4.1.2 | N/A |
| bootstrap(NuGet) | 4.0.0 | 4.1.2 | N/A |
| bootstrap.sass(NuGet) | 4.0.0 | 4.1.2 | N/A |
| org.webjars:bootstrap(Maven) | 4.0.0 | 4.1.2 | N/A |
CVSS Metrics
