decorative image for blog on new bootstrap vulnerabilities
August 14, 2024

New Bootstrap Vulnerabilities to Watch

Bootstrap

By

New Bootstrap vulnerabilities could spell trouble for those with websites or web apps running Bootstrap 3 or Bootstrap 4, which are end of life and no longer community-supported. 

Keep reading to find out how these vulnerabilities can be exploited to engineer cross-site scripting (XSS) attacks and what to do to enhance your Bootstrap security. 

Table of Contents

  1. Recently Disclosed Bootstrap Vulnerabilities: Who Is Impacted?
  2. How Do These Bootstrap Vulnerabilities Work?
  3. Consequences and Costs of a Cross-Site Scripting Attack
  4. Mitigation and How to Improve Bootstrap Security
  5. Final Thoughts
Back to top

Recently Disclosed Bootstrap Vulnerabilities: Who Is Impacted?

In July 2024, three vulnerabilities affecting end-of-life (EOL) versions Bootstrap were disclosed: 

All three CVEs received a CVSS score of 6.4 from the National Vulnerability Database, indicating medium severity.  

Learn more about CVEs and CVSS Scores >>

CVE-2024-6484 and CVE-2024-6485 impacts Bootstrap 3 and CVE-2024-6531 affects Bootstrap 4. If you have applications or websites running either of these EOL versions, you are at risk. 

Back to top

How Do These Bootstrap Vulnerabilities Work?

CVE-2024-6484 and CVE-2024-6531 are identical cross-site scripting (XSS) vulnerabilities in the Bootstrap carousel component targeting different Bootstrap versions. This component allows you to define slide behavior of links in the carousel via “data” attributes. The exploit can be achieved if user-supplied values are provided for these attributes without adequate sanitization. 

CVE-2024-6485 is a similar vulnerability, but targets the button plugin and its loading text state. 

Can't Upgrade Yet to Bootstrap 5? 

Bootstrap Long-Term Support buys you more time and peace of mind. Find out how OpenLogic can help you avoid downtime if you have sites or apps built on Bootstrap 3 or Bootstrap 4.

Get Bootstrap Support

Back to top

Consequences and Costs of a Cross-Site Scripting Attack

As defined by the Open Worldwide Application Security Project (OWASP), a cross-site scripting (XSS) attack is a vector by which a malicious script is injected into a website. These can be relatively trivial, and just inject new content or data into the website — or more nefarious, and transmit data, like session login information, to a third party under the attacker’s control.   

Some examples of what can be accomplished via an XSS attack: 

  • Form contents could be sent to a third party instead of the site, leading to leakage of PII or financial information. 
  • A link could submit a form to a malicious site, returning data that the browser than assumes is trusted, but in fact contains and executes additional malicious code. 
  • A session cookie could be hijacked and used by the attacker to gain access to the user session and data on the website. The attacker can now impersonate the user and gain access to their information, which might include PII or payment methods. If the user has admin privileges on the website, the attacker could gain access to administration tools, potentially changing any content on the site. 
  • A script could modify site contents, such as a press release or blog post, providing false information to consumers and damaging the credibility of the site owner. 

While XSS attacks have been known about and categorized for literally decades, they are still serious security concerns for web-based applications. 

Back to top

Mitigation and How to Improve Bootstrap Security

There are a number of general measures you can take to mitigate XSS attacks. The most basic is to validate all user input, and use robust sanitization and normalization measures when rendering user-provided input to prevent script injection from occurring in the first place. Additionally, you can set things such as HttpOnly cookies, which prevents JavaScript from accessing cookies, and add Content Security Policy HTTP headers, which prevents third-party JavaScript.  

However, when using third-party JavaScript frameworks such as Bootstrap, sometimes you cannot audit every bit of JS that your application executes.  

In those cases, you can apply your own patch or migrate to the current version of Bootstrap, Bootstrap 5. If neither of those are possible, it is recommended to get long-term support through a commercial partner like OpenLogic so that you have access to patches when vulnerabilities affecting EOL versions are disclosed. OpenLogic has patched all three of these CVEs for our Bootstrap LTS customers.  

Back to top

Final Thoughts

Once open source software reaches end of life, vulnerabilities become harder to deal with since you can't rely on the community to provide a fix quickly. As described above, the fallout from XSS attacks can be somewhat minor (false information/vandalism to your site) or devastating (sensitive customer data stolen), so if you are running an older version of Bootstrap, it's time to upgrade or make sure you have an LTS provider. 

Additional Resources

Back to top
Matthew-Weier-O’Phinney

Matthew Weier O’Phinney

Senior Product Manager, OpenLogic and Zend by Perforce

Matthew began developing on Zend Framework (ZF) before its first public release, and led the project for Zend from 2009 through 2019. He is a founding member of the PHP Framework Interop Group (PHP-FIG), which creates and promotes standards for the PHP ecosystem — and is serving his second elected term on the PHP-FIG Core Committee.