N/A

CVSS Score

Basic Information

CVE ID

CVE-2014-4920

GHSA ID

GHSA-vpqv-mqvc-pcx2

EPSS Score

CWE

CWE-79

Published

3/16/2023

Updated

3/16/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-4920

CVE-2014-4920:
Reflective Cross-site Scripting Vulnerability in twitter-bootstrap-rails

The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a reflected cross-site scripting (XSS) attack. This flaw exists because the bootstrap_flash helper method does not validate input when handling flash messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2014-4920

GHSA ID

GHSA-vpqv-mqvc-pcx2

EPSS Score

CWE

CWE-79

Published

3/16/2023

Updated

3/16/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

vuln_not_found

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
twitter-bootstrap-rails	rubygems	< 3.2.0	3.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory explicitly states the vulnerability exists in the bootstrap_flash helper method's lack of input validation. As a flash message handler that directly outputs user-influenced content without sanitization, it creates an XSS vector. The description directly links this method to the vulnerability mechanism, and the patched version (3.2.0) likely adds proper sanitization here.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** twitt*r-*ootstr*p-r*ils **m *or R*ils *ont*ins * *l*w t**t *n**l*s * r**l**t** *ross-sit* s*riptin* (XSS) *tt**k. T*is *l*w *xists ****us* t** *ootstr*p_*l*s* **lp*r m*t*o* *o*s not v*li**t* input w**n **n*lin* *l*s* m*ss***s ***or* r*turnin* it

Reasoning

T** **visory *xpli*itly st*t*s t** vuln*r**ility *xists in t** `*ootstr*p_*l*s*` **lp*r m*t*o*'s l**k o* input v*li**tion. *s * *l*s* m*ss*** **n*l*r t**t *ir**tly outputs us*r-in*lu*n*** *ont*nt wit*out s*nitiz*tion, it *r**t*s *n XSS v**tor. T** **

N/A

Basic Information

Concerned about an active attack path?

CVE-2014-4920: Reflective Cross-site Scripting Vulnerability in twitter-bootstrap-rails

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2014-4920:
Reflective Cross-site Scripting Vulnerability in twitter-bootstrap-rails

Vulnerability Intelligence
Miggo AI