{"id":"GHSA-4p24-vmcr-4gqj","summary":"Bootstrap Cross-site Scripting vulnerability","details":"In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.\n\nSee https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.","aliases":["CVE-2016-10735"],"modified":"2026-02-04T04:23:38.122260Z","published":"2019-01-17T13:57:27Z","related":["CGA-6wg7-48v4-2pj7"],"database_specific":{"github_reviewed_at":"2020-06-16T20:58:39Z","cwe_ids":["CWE-79"],"severity":"MODERATE","github_reviewed":true,"nvd_published_at":"2019-01-09T05:29:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10735"},{"type":"WEB","url":"https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906"},{"type":"WEB","url":"https://github.com/twbs/bootstrap/issues/20184"},{"type":"WEB","url":"https://github.com/twbs/bootstrap/pull/26460"},{"type":"WEB","url":"https://github.com/twbs/bootstrap/pull/23687"},{"type":"WEB","url":"https://github.com/twbs/bootstrap/pull/23679"},{"type":"WEB","url":"https://github.com/github/advisory-database/pull/3281"},{"type":"PACKAGE","url":"https://github.com/twbs/bootstrap"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2016-10735.yml"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2016-10735.yml"},{"type":"WEB","url":"https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0"},{"type":"WEB","url":"https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0133"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0132"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:3023"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1456"},{"type":"WEB","url":"https://access.redhat.com/errata/RHBA-2019:1570"},{"type":"WEB","url":"https://access.redhat.com/errata/RHBA-2019:1076"}],"affected":[{"package":{"name":"bootstrap","ecosystem":"npm","purl":"pkg:npm/bootstrap"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.4"},{"fixed":"3.4.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"bootstrap","ecosystem":"npm","purl":"pkg:npm/bootstrap"},"ranges":[{"type":"SEMVER","events":[{"introduced":"4.0.0-beta"},{"fixed":"4.0.0-beta.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"org.webjars:bootstrap","ecosystem":"Maven","purl":"pkg:maven/org.webjars/bootstrap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.4"},{"fixed":"3.4.0"}]}],"versions":["2.1.1","2.2.1","2.2.2","2.2.2-1","2.3.0","2.3.1","2.3.1-1","2.3.2","3.0.0","3.0.0-rc.2","3.0.0-rc1","3.0.1","3.0.2","3.0.3","3.1.0","3.1.1","3.1.1-1","3.1.1-2","3.2.0","3.2.0-1","3.2.0-2","3.3.0","3.3.1","3.3.2","3.3.2-1","3.3.2-2","3.3.4","3.3.5","3.3.6","3.3.7","3.3.7-1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"org.webjars:bootstrap","ecosystem":"Maven","purl":"pkg:maven/org.webjars/bootstrap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0-beta"},{"fixed":"4.0.0-beta.2"}]}],"versions":["4.0.0-beta","4.0.0-beta-1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"bootstrap","ecosystem":"RubyGems","purl":"pkg:gem/bootstrap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.0-beta.2"}]}],"versions":["4.0.0.alpha1","4.0.0.alpha2","4.0.0.alpha3","4.0.0.alpha3.1","4.0.0.alpha4","4.0.0.alpha5","4.0.0.alpha6","4.0.0.beta","4.0.0.beta2","4.0.0.beta2.1","4.0.0.beta3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"twbs/bootstrap","ecosystem":"Packagist","purl":"pkg:composer/twbs/bootstrap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.4"},{"fixed":"3.4.0"}]}],"versions":["v2.2.2","v2.3.0","v2.3.1","v2.3.2","v3.0.0","v3.0.0-rc.2","v3.0.0-rc1","v3.0.1","v3.0.2","v3.0.3","v3.1.0","v3.1.1","v3.2.0","v3.3.0","v3.3.1","v3.3.2","v3.3.4","v3.3.5","v3.3.6","v3.3.7"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"twbs/bootstrap","ecosystem":"Packagist","purl":"pkg:composer/twbs/bootstrap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0-beta"},{"fixed":"4.0.0-beta.2"}]}],"versions":["v4.0.0-beta"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"bootstrap","ecosystem":"NuGet","purl":"pkg:nuget/bootstrap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.4"},{"fixed":"3.4.0"}]}],"versions":["2.3.1","2.3.2","3.0.0","3.0.1","3.0.2","3.0.3","3.1.0","3.1.1","3.2.0","3.3.0","3.3.1","3.3.2","3.3.4","3.3.5","3.3.6","3.3.6-jQuery3","3.3.6.1","3.3.7"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"bootstrap","ecosystem":"NuGet","purl":"pkg:nuget/bootstrap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0-beta"},{"fixed":"4.0.0-beta.2"}]}],"versions":["4.0.0-beta"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"bootstrap-sass","ecosystem":"npm","purl":"pkg:npm/bootstrap-sass"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.4"},{"fixed":"3.4.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"bootstrap-sass","ecosystem":"RubyGems","purl":"pkg:gem/bootstrap-sass"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.4"},{"fixed":"3.4.0"}]}],"versions":["2.0.4.0","2.0.4.1","2.0.4.2","2.1.0.0","2.1.0.1","2.1.1.0","2.2.1.0","2.2.1.1","2.2.2.0","2.3.0.0","2.3.0.1","2.3.1.0","2.3.1.2","2.3.1.3","2.3.2.0","2.3.2.1","2.3.2.2","3.0.0.0","3.0.0.0.rc","3.0.0.0.rc2","3.0.1.0","3.0.1.0.rc","3.0.2.0","3.0.2.1","3.0.3.0","3.1.0.0","3.1.0.1","3.1.0.2","3.1.1.0","3.1.1.1","3.2.0.4","3.3.0.0","3.3.0.1","3.3.1.0","3.3.2.0","3.3.2.1","3.3.3","3.3.4.1","3.3.5","3.3.5.1","3.3.6","3.3.7"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}},{"package":{"name":"bootstrap.sass","ecosystem":"NuGet","purl":"pkg:nuget/bootstrap.sass"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0-beta"},{"fixed":"4.0.0-beta.2"}]}],"versions":["4.0.0-beta"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4p24-vmcr-4gqj/GHSA-4p24-vmcr-4gqj.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}