CVE-2024-6485

NameCVE-2024-6485
DescriptionA security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1084060

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
twitter-bootstrap3 (PTS)bullseye3.4.1+dfsg-2vulnerable
sid, trixie, bookworm3.4.1+dfsg-3vulnerable
twitter-bootstrap4 (PTS)bullseye4.5.2+dfsg1-8~deb11u1fixed
sid, trixie, bookworm4.6.1+dfsg1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
twitter-bootstrap3source(unstable)(unfixed)1084060
twitter-bootstrap4source(unstable)(not affected)

Notes

- twitter-bootstrap4 <not-affected> (Only affects 3.x)
[bookworm] - twitter-bootstrap3 <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - twitter-bootstrap3 <postponed> (Minor issue; can be fixed in next update)
https://www.herodevs.com/vulnerability-directory/cve-2024-6485
Search for package or bug name: Reporting problems