CVE-2018-14040

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

References

https://github.com/twbs/bootstrap/pull/26630

https://github.com/twbs/bootstrap/issues/26625

https://github.com/twbs/bootstrap/issues/26423

https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/

https://lists.debian.org/debian-lts-announce/2018/08/msg00027.html

https://seclists.org/bugtraq/2019/May/18

http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

http://seclists.org/fulldisclosure/2019/May/13

http://seclists.org/fulldisclosure/2019/May/11

http://seclists.org/fulldisclosure/2019/May/10

https://lists.apache.org/thread.html/[email protected]%3Cdev.superset.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2018-07-13

Updated: 2021-07-22

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (15 total)

IDNameProductFamilySeverity
155605F5 Networks BIG-IP : Bootstrap vulnerability (K48382137)NessusF5 Networks Local Security Checks
medium
154495NewStart CGSL CORE 5.05 / MAIN 5.05 : ipa Multiple Vulnerabilities (NS-SA-2021-0171)NessusNewStart CGSL Local Security Checks
medium
152985Tenable SecurityCenter < 5.19.0 Multiple XSS Vulnerabilities (TNS-2021-14)NessusMisc.
medium
151985Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)NessusMisc.
high
147251NewStart CGSL CORE 5.04 / MAIN 5.04 : ipa Multiple Vulnerabilities (NS-SA-2021-0045)NessusNewStart CGSL Local Security Checks
medium
145989CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847)NessusCentOS Local Security Checks
medium
145873CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670)NessusCentOS Local Security Checks
medium
143080RHEL 7 : ipa (RHSA-2020:3936)NessusRed Hat Local Security Checks
medium
142435RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670)NessusRed Hat Local Security Checks
medium
142409RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)NessusRed Hat Local Security Checks
medium
141974Amazon Linux 2 : ipa-client (ALAS-2020-1519)NessusAmazon Linux Local Security Checks
medium
141734Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
medium
141586CentOS 7 : ipa (CESA-2020:3936)NessusCentOS Local Security Checks
medium
112374Bootstrap 4.0.0 < 4.1.2 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium
112166Debian DLA-1479-1 : twitter-bootstrap3 security updateNessusDebian Local Security Checks
medium