VulnerableCode Package Details - pkg:npm/bootstrap@4.1.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-3ygq-cbu4-23ad Aliases: CVE-2019-8331 GHSA-9v3m-8fp8-mj99 GHSA-fxwm-579q-49qq GHSA-wh77-3x4m-4q9g	Bootstrap Vulnerable to Cross-Site Scripting Versions of `bootstrap` prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The `data-template` attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. ## Recommendation For `bootstrap` 4.x upgrade to 4.3.1 or later. For `bootstrap` 3.x upgrade to 3.4.1 or later.	4.3.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-9gdn-vssr-m3d9 Aliases: CVE-2018-14042 GHSA-7mvr-5x2g-wfc8	Bootstrap Cross-site Scripting vulnerability In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.	4.1.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-e8jt-6jum-n3az Aliases: CVE-2018-14040 GHSA-3wqf-4x89-9g79	Bootstrap vulnerable to Cross-Site Scripting (XSS) In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.	4.1.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qceg-ajt8-jfct Aliases: CVE-2024-6531 GHSA-vc8w-jr9v-vj7f	Bootstrap Cross-Site Scripting (XSS) vulnerability A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.	5.0.0 Affected by 0 other vulnerabilities.
VCID-u34g-yks8-hbay Aliases: CVE-2018-14041 GHSA-pj7m-g53m-7638	Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.	4.1.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3ygq-cbu4-23ad
Aliases:
CVE-2019-8331
GHSA-9v3m-8fp8-mj99
GHSA-fxwm-579q-49qq
GHSA-wh77-3x4m-4q9g

Bootstrap Vulnerable to Cross-Site Scripting Versions of `bootstrap` prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The `data-template` attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. ## Recommendation For `bootstrap` 4.x upgrade to 4.3.1 or later. For `bootstrap` 3.x upgrade to 3.4.1 or later.

4.3.1
Affected by 1 other vulnerability.

VCID-9gdn-vssr-m3d9
Aliases:
CVE-2018-14042
GHSA-7mvr-5x2g-wfc8

Bootstrap Cross-site Scripting vulnerability In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.

4.1.2
Affected by 2 other vulnerabilities.

VCID-e8jt-6jum-n3az
Aliases:
CVE-2018-14040
GHSA-3wqf-4x89-9g79

Bootstrap vulnerable to Cross-Site Scripting (XSS) In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.

4.1.2
Affected by 2 other vulnerabilities.

VCID-qceg-ajt8-jfct
Aliases:
CVE-2024-6531
GHSA-vc8w-jr9v-vj7f

Bootstrap Cross-Site Scripting (XSS) vulnerability A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

5.0.0
Affected by 0 other vulnerabilities.

VCID-u34g-yks8-hbay
Aliases:
CVE-2018-14041
GHSA-pj7m-g53m-7638

Bootstrap Cross-site Scripting vulnerability In Bootstrap 4.x before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042.

4.1.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:09:22.144807+00:00	GitLab Importer	Affected by	VCID-qceg-ajt8-jfct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/bootstrap/CVE-2024-6531.yml	37.0.0
2025-07-03T17:32:47.916757+00:00	GitLab Importer	Affected by	VCID-3ygq-cbu4-23ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/bootstrap/CVE-2019-8331.yml	37.0.0
2025-07-03T17:28:00.612072+00:00	GitLab Importer	Affected by	VCID-u34g-yks8-hbay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/bootstrap/CVE-2018-14041.yml	37.0.0
2025-07-03T17:27:59.473540+00:00	GitLab Importer	Affected by	VCID-e8jt-6jum-n3az	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/bootstrap/CVE-2018-14040.yml	37.0.0
2025-07-03T17:27:59.279806+00:00	GitLab Importer	Affected by	VCID-9gdn-vssr-m3d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/bootstrap/CVE-2018-14042.yml	37.0.0