6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6485

GHSA ID

GHSA-vxmc-5x29-h64v

EPSS Score

0.15268%

CWE

CWE-79

Published

7/11/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-6485

CVE-2024-6485:
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-6485

GHSA ID

GHSA-vxmc-5x29-h64v

EPSS Score

0.15268%

CWE

CWE-79

Published

7/11/2024

Updated

11/18/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bootstrap	npm	>= 1.4.0, < 3.4.1	3.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how Bootstrap's button plugin handles data-*-text attributes during state changes. The Button.prototype.setState function is responsible for updating button text when entering loading state, using jQuery.html() method with raw attribute values. This bypasses input sanitization as evidenced by the PoC where user-controlled input from data attributes gets executed as HTML. The first patched version (3.4.1) likely introduced sanitization in this state transition logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity vuln*r**ility **s ***n *is*ov*r** in *ootstr*p t**t *oul* *n**l* *ross-Sit* S*riptin* (XSS) *tt**ks. T** vuln*r**ility is *sso*i*t** wit* t** **t*-lo**in*-t*xt *ttri*ut* wit*in t** *utton plu*in. T*is vuln*r**ility **n ** *xploit** *y inj*

Reasoning

T** vuln*r**ility st*ms *rom *ow *ootstr*p's *utton plu*in **n*l*s **t*-*-t*xt *ttri*ut*s *urin* st*t* ***n**s. T** `*utton.prototyp*.s*tSt*t*` *un*tion is r*sponsi*l* *or up**tin* *utton t*xt w**n *nt*rin* lo**in* st*t*, usin* `jQu*ry.*tml()` m*t*o*

6.4

Basic Information

Concerned about an active attack path?

CVE-2024-6485: Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-6485:
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

Vulnerability Intelligence
Miggo AI