CVE-2014-4920 — Reflective Cross-site Scripting Vulnerability in twitter-bootstrap-rails

Description

The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a reflected cross-site scripting (XSS) attack. This flaw exists because the bootstrap_flash helper method does not validate input when handling flash messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

How to fix CVE-2014-4920

To remediate CVE-2014-4920, upgrade the affected package to a fixed version below.

RubyGems/twitter-bootstrap-rails—upgrade to 3.2.0 or later

Is CVE-2014-4920 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2014-4920.

Affected packages (1)

from 0, < 3.2.0

References (2)

WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/twitter-bootstrap-rails/CVE-2014-4920.yml
WEBnvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter