CVE-2023-46998 — Bootbox.js Cross Site Scripting vulnerability

Description

Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.

How to fix CVE-2023-46998

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Debian/libjs-bootbox—no fix listed
—no fix listed

Is CVE-2023-46998 being exploited?

Moderate — EPSS is 38.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0
>= 3.2.0, <= 6.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46998
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-46998
PATCHgithub.com/bootboxjs/bootbox
WEBgithub.com/bootboxjs/bootbox/issues/661
WEB