CVE-2018-14042 — Bootstrap Cross-site Scripting vulnerability · VulnScope

CVE-2018-14042

Bootstrap Cross-site Scripting vulnerability

6.1

MEDIUM

CVSS 3.1

EPSS 2.3%

Description

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

How to fix CVE-2018-14042

To remediate CVE-2018-14042, upgrade the affected package to a fixed version below.

Debian/twitter-bootstrap3—upgrade to 3.4.0+dfsg-1 or later
Maven/org.webjars:bootstrap—upgrade to 4.1.2 or later
—upgrade to 4.1.2 or later
—upgrade to 3.4.0 or later
—upgrade to 4.1.2 or later
—upgrade to 4.1.2 or later
—upgrade to 4.1.2 or later
—upgrade to 4.1.2 or later
—upgrade to 3.4.0 or later

Is CVE-2018-14042 being exploited?

Low — EPSS is 2.3%, meaning exploitation activity has not been observed at scale.

Affected packages (9)

from 0, < 3.4.0+dfsg-1
>= 4.0.0, < 4.1.2
>= 4.0.0, < 4.1.2
>= 2.0.4, < 3.4.0
>= 4.0.0, < 4.1.2
>= 4.0.0, < 4.1.2
>= 4.0.0, < 4.1.2
>= 4.0.0, < 4.1.2
>= 2.3.0, < 3.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (26)