CVE-2019-8331

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

References

https://github.com/twbs/bootstrap/releases/tag/v4.3.1

https://github.com/twbs/bootstrap/pull/28236

http://www.securityfocus.com/bid/107375

https://github.com/twbs/bootstrap/releases/tag/v3.4.1

https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

https://support.f5.com/csp/article/K24383845

https://seclists.org/bugtraq/2019/May/18

http://seclists.org/fulldisclosure/2019/May/13

http://seclists.org/fulldisclosure/2019/May/11

http://seclists.org/fulldisclosure/2019/May/10

https://access.redhat.com/errata/RHSA-2019:1456

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.superset.apache.org%3E

https://access.redhat.com/errata/RHSA-2019:3023

https://access.redhat.com/errata/RHSA-2019:3024

https://lists.apache.org/thread.html/[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f0786[email protected]%3Cdev.drill.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.drill.apache.org%3E

https://support.f5.com/csp/article/K24383845?utm_source=f5support&utm_medium=RSS

http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

https://lists.apache.org/thread.html/[email protected]%3Cissues.hbase.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2019-02-20

Updated: 2021-07-22

Type: CWE-79

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:*

cpe:2.3:a:getbootstrap:bootstrap:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:redhat:virtualization_manager:4.3:*:*:*:*:*:*:*

Tenable Plugins

View all (19 total)

IDNameProductFamilySeverity
154495NewStart CGSL CORE 5.05 / MAIN 5.05 : ipa Multiple Vulnerabilities (NS-SA-2021-0171)NessusNewStart CGSL Local Security Checks
medium
152985Tenable SecurityCenter < 5.19.0 Multiple XSS Vulnerabilities (TNS-2021-14)NessusMisc.
medium
151985Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)NessusMisc.
high
147251NewStart CGSL CORE 5.04 / MAIN 5.04 : ipa Multiple Vulnerabilities (NS-SA-2021-0045)NessusNewStart CGSL Local Security Checks
medium
145989CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:4847)NessusCentOS Local Security Checks
medium
145873CentOS 8 : idm:DL1 and idm:client (CESA-2020:4670)NessusCentOS Local Security Checks
medium
144412RHEL 7 : python-XStatic-Bootstrap-SCSS (RHSA-2020:5571)NessusRed Hat Local Security Checks
medium
143080RHEL 7 : ipa (RHSA-2020:3936)NessusRed Hat Local Security Checks
medium
142435RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670)NessusRed Hat Local Security Checks
medium
142409RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)NessusRed Hat Local Security Checks
medium
141974Amazon Linux 2 : ipa-client (ALAS-2020-1519)NessusAmazon Linux Local Security Checks
medium
141734Scientific Linux Security Update : ipa on SL7.x x86_64 (20201001)NessusScientific Linux Local Security Checks
medium
141586CentOS 7 : ipa (CESA-2020:3936)NessusCentOS Local Security Checks
medium
132559F5 Networks BIG-IP : Bootstrap vulnerability (K24383845)NessusF5 Networks Local Security Checks
medium
129862RHEL 7 : Virtualization Manager (RHSA-2019:3024)NessusRed Hat Local Security Checks
critical
129861RHEL 7 : Virtualization Manager (RHSA-2019:3023)NessusRed Hat Local Security Checks
medium
129425FreeBSD : mantis -- multiple vulnerabilities (81fcc2f9-e15a-11e9-abbf-800dd28b22bd)NessusFreeBSD Local Security Checks
high
112376Bootstrap 4.x < 4.3.1 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium
112375Bootstrap 3.x < 3.4.1 Cross-Site ScriptingWeb Application ScanningComponent Vulnerability
medium