CVE-2018-14042: Bootstrap Cross-Site Scripting Vulnerability in Tooltip Data-Container Property

CVE-2018-14042 identifies a cross-site scripting vulnerability in Bootstrap framework versions 2.3.0 through 3.3.7 and 4.0.0 through 4.1.1 that enables XSS attacks through the data-container property of tooltip components. This vulnerability achieves a CVSS score of 6.1 (Medium severity) with an EPSS score of 87.1 percentile and 3.5% exploitation probability, indicating significant attack potential across web applications using vulnerable Bootstrap versions. The vulnerability details reveal that improper sanitization of the data-container property allows attackers to inject malicious JavaScript code that executes when tooltip elements are rendered, creating substantial exploit risk for web applications that utilize Bootstrap's tooltip functionality with user-controlled input. This creates widespread exposure across multiple package ecosystems including npm, RubyGems, Maven, Composer, and NuGet, affecting JavaScript and Java technologies along with over 12 other affected technologies and 50+ packages and libraries that implement Bootstrap's frontend framework components. The technical root cause lies in Bootstrap's insufficient input validation for the tooltip data-container property, where user-supplied content can bypass sanitization measures and achieve script execution through DOM manipulation, creating a vector for known exploited vulnerabilities targeting frontend web applications. The vulnerability is similar to CVE-2018-14041, indicating a pattern of XSS issues within Bootstrap's tooltip implementation that requires comprehensive remediation. With public exploits available and widespread adoption of Bootstrap across web development projects, this vulnerability represents a significant threat to applications that allow user interaction with tooltip elements or process untrusted data through Bootstrap components. Mitigation steps require upgrading to Bootstrap versions 3.4.0, 4.1.2, or later, which implement proper sanitization for tooltip properties and prevent malicious script injection. Organizations should prioritize identifying all applications using vulnerable Bootstrap versions, implement Content Security Policy (CSP) headers to mitigate XSS impact, validate and sanitize all user inputs before passing to Bootstrap components, and maintain updated CVE database records to track similar client-side vulnerabilities that could compromise web application security through frontend framework exploitation and DOM-based cross-site scripting attacks.