In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| bootstrap(RubyGems) | 0 | 4.3.1 | N/A |
| bootstrap-sass(RubyGems) | 3.0.0 | 3.4.1 | N/A |
| Bootstrap.Less(NuGet) | 3.0.0 | 3.4.1 | N/A |
| bootstrap(NuGet) | 4.0.0 | 4.3.1 | N/A |
| bootstrap(NuGet) | 3.0.0 | 3.4.1 | N/A |
| bootstrap.sass(NuGet) | 0 | 4.3.1 | N/A |
| bootstrap(npm) | 4.0.0 | 4.3.1 | N/A |
| bootstrap(npm) | 3.0.0 | 3.4.1 | N/A |
| bootstrap-sass(npm) | 3.0.0 | 3.4.1 | N/A |
| twitter-bootstrap-rails(RubyGems) | 0 | N/A | N/A |
| org.webjars:bootstrap(Maven) | 3.0.0 | 3.4.1 | N/A |
| org.webjars:bootstrap(Maven) | 4.0.0 | 4.3.1 | N/A |
| twbs/bootstrap(Packagist) | 3.0.0 | 3.4.1 | N/A |
| twbs/bootstrap(Packagist) | 4.0.0 | 4.3.1 | N/A |
CVSS Metrics
