CVE-2024-6485
6.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Summary
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Bootstrap | Bootstrap | 1.4.0 <= 3.4.1 | affected |
| Bootstrap-sass | bootstrap-sass | 2.3.2 <= 3.4.3 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://www.herodevs.com/vulnerability-directory/cve-2024-6485
- https://lists.debian.org/debian-lts-announce/2025/04/msg00020.html
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.