From 4e199048b4a29c6aed23fb45559bae4f02afb4d9 Mon Sep 17 00:00:00 2001 From: Dave Dalcino Date: Wed, 22 Nov 2023 15:25:23 -0800 Subject: [PATCH 1/2] add CVE-2019-8331 for twitter-bootstrap-rails --- .../twitter-bootstrap-rails/CVE-2019-8331.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 gems/twitter-bootstrap-rails/CVE-2019-8331.yml diff --git a/gems/twitter-bootstrap-rails/CVE-2019-8331.yml b/gems/twitter-bootstrap-rails/CVE-2019-8331.yml new file mode 100644 index 0000000000..81944b90e8 --- /dev/null +++ b/gems/twitter-bootstrap-rails/CVE-2019-8331.yml @@ -0,0 +1,28 @@ +--- +gem: twitter-bootstrap-rails +cve: 2019-8331 +ghsa: 9v3m-8fp8-mj99 +url: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ +title: twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS) +date: 2019-02-15 +description: | + The seyhunak/twitter-bootstrap-rails gem includes a vendored version of + the Bootstrap JavaScript library. + + In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible + in the tooltip or popover data-template attribute. + + The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. + All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. + All versions of this gem are affected. + + # Workarounds + Until this gem is updated to use Bootstrap v3.4.1, users can replace it + with the official Twitter-maintained gems, `bootstrap-sass` (version 3.4.1) + or `bootstrap` (bootstrap 4 and 5). + +cvss_v2: 4.3 +cvss_v3: 6.1 +related: + url: + - https://github.com/twbs/bootstrap-sass/releases/tag/v3.4.1 From 87801392dc4469e43bc3b4636b16bf0781459260 Mon Sep 17 00:00:00 2001 From: David Dalcino Date: Wed, 22 Nov 2023 17:11:36 -0800 Subject: [PATCH 2/2] appease angry linter --- gems/twitter-bootstrap-rails/CVE-2019-8331.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gems/twitter-bootstrap-rails/CVE-2019-8331.yml b/gems/twitter-bootstrap-rails/CVE-2019-8331.yml index 81944b90e8..9362ca4109 100644 --- a/gems/twitter-bootstrap-rails/CVE-2019-8331.yml +++ b/gems/twitter-bootstrap-rails/CVE-2019-8331.yml @@ -11,7 +11,7 @@ description: | In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. - + The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. All versions of this gem are affected.