6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6484

GHSA ID

GHSA-9mvj-f7w8-pvh2

EPSS Score

0.13059%

CWE

CWE-79

Published

7/11/2024

Updated

1/31/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-6484

CVE-2024-6484:
Bootstrap Cross-Site Scripting (XSS) vulnerability

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6484

GHSA ID

GHSA-9mvj-f7w8-pvh2

EPSS Score

0.13059%

CWE

CWE-79

Published

7/11/2024

Updated

1/31/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions
bootstrap	npm	>= 2.0.0, <= 3.4.1
bootstrap	rubygems	>= 2.0.0, <= 3.4.1
bootstrap	nuget	>= 2.0.0, <= 3.4.1
bootstrap-sass	rubygems	>= 2.0.0, <= 3.4.1
bootstrap.sass	nuget	>= 2.0.0, <= 3.4.1
twbs/bootstrap	composer	>= 2.0.0, <= 3.4.1
org.webjars:bootstrap	maven	>= 2.0.0, <= 3.4.1
org.webjars.npm:bootstrap	maven	>= 2.0.0, <= 3.4.1
bootstrap-sass	npm	>= 2.0.0, <= 3.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Bootstrap's carousel component handling of anchor elements with data-slide/data-slide-to attributes. When data-target is missing, the code falls back to using the href attribute without proper sanitization. The Carousel.prototype.handle and associated click handlers are responsible for processing these navigation events. These functions fail to properly validate() that the href value contains only a valid carousel selector, allowing execution of arbitrary JavaScript through javascript: URIs. The HeroDevs reproduction demonstrates this occurs in the carousel event handling logic, and the CWE-79 classification confirms this is an input sanitization failure in web page generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n i**nti*i** in *ootstr*p t**t *xpos*s us*rs to *ross-Sit* S*riptin* (XSS) *tt**ks. T** issu* is pr*s*nt in t** **rous*l *ompon*nt, w**r* t** `**t*-sli**` *n* `**t*-sli**-to` *ttri*ut*s **n ** *xploit** t*rou** t** *r** *ttri*u

Reasoning

T** vuln*r**ility st*ms *rom *ootstr*p's **rous*l *ompon*nt **n*lin* o* *n**or *l*m*nts wit* **t*-sli**/**t*-sli**-to *ttri*ut*s. W**n **t*-t*r**t is missin*, t** *o** **lls ***k to usin* t** *r** *ttri*ut* wit*out prop*r s*nitiz*tion. T** `**rous*l.

6.4

Basic Information

Concerned about an active attack path?

CVE-2024-6484: Bootstrap Cross-Site Scripting (XSS) vulnerability

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-6484:
Bootstrap Cross-Site Scripting (XSS) vulnerability

Vulnerability Intelligence
Miggo AI