CVE-2019-8331medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
References
https://github.com/twbs/bootstrap/releases/tag/v4.3.1
https://github.com/twbs/bootstrap/pull/28236
http://www.securityfocus.com/bid/107375
https://github.com/twbs/bootstrap/releases/tag/v3.4.1
https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
https://support.f5.com/csp/article/K24383845
https://seclists.org/bugtraq/2019/May/18
http://seclists.org/fulldisclosure/2019/May/13
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/10
https://access.redhat.com/errata/RHSA-2019:1456
https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.superset.apache.org%3E
https://access.redhat.com/errata/RHSA-2019:3023
https://access.redhat.com/errata/RHSA-2019:3024
https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E
https://support.f5.com/csp/article/K24383845?utm_source=f5support&utm_medium=RSS
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
Details
Source: MITRE
Published: 2019-02-20
Updated: 2021-07-22
Type: CWE-79
Risk Information
CVSS v2
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
CVSS v3
Base Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Impact Score: 2.7
Exploitability Score: 2.8
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
Configuration 2
OR
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
Configuration 3
OR
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 154495 | NewStart CGSL CORE 5.05 / MAIN 5.05 : ipa Multiple Vulnerabilities (NS-SA-2021-0171) | Nessus | NewStart CGSL Local Security Checks | medium |
| 152985 | Tenable SecurityCenter < 5.19.0 Multiple XSS Vulnerabilities (TNS-2021-14) | Nessus | Misc. | medium |
| 151985 | Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated) | Nessus | Misc. | high |
| 147251 | NewStart CGSL CORE 5.04 / MAIN 5.04 : ipa Multiple Vulnerabilities (NS-SA-2021-0045) | Nessus | NewStart CGSL Local Security Checks | medium |
| 145989 | CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847) | Nessus | CentOS Local Security Checks | medium |
| 145873 | CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670) | Nessus | CentOS Local Security Checks | medium |
| 144412 | RHEL 7 : python-XStatic-Bootstrap-SCSS (RHSA-2020:5571) | Nessus | Red Hat Local Security Checks | medium |
| 143080 | RHEL 7 : ipa (RHSA-2020:3936) | Nessus | Red Hat Local Security Checks | medium |
| 142435 | RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670) | Nessus | Red Hat Local Security Checks | medium |
| 142409 | RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847) | Nessus | Red Hat Local Security Checks | medium |
| 141974 | Amazon Linux 2 : ipa-client (ALAS-2020-1519) | Nessus | Amazon Linux Local Security Checks | medium |
| 141734 | Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001) | Nessus | Scientific Linux Local Security Checks | medium |
| 141586 | CentOS 7 : ipa (CESA-2020:3936) | Nessus | CentOS Local Security Checks | medium |
| 132559 | F5 Networks BIG-IP : Bootstrap vulnerability (K24383845) | Nessus | F5 Networks Local Security Checks | medium |
| 129862 | RHEL 7 : Virtualization Manager (RHSA-2019:3024) | Nessus | Red Hat Local Security Checks | critical |
| 129861 | RHEL 7 : Virtualization Manager (RHSA-2019:3023) | Nessus | Red Hat Local Security Checks | medium |
| 129425 | FreeBSD : mantis -- multiple vulnerabilities (81fcc2f9-e15a-11e9-abbf-800dd28b22bd) | Nessus | FreeBSD Local Security Checks | high |
| 112376 | Bootstrap 4.x < 4.3.1 Cross-Site Scripting | Web Application Scanning | Component Vulnerability | medium |
| 112375 | Bootstrap 3.x < 3.4.1 Cross-Site Scripting | Web Application Scanning | Component Vulnerability | medium |