[Pkg-javascript-devel] Bug#1084060: twitter-bootstrap3: CVE-2024-6484 CVE-2024-6485
Sylvain Beucler
beuc at beuc.net
Wed Apr 9 10:22:37 BST 2025
Hi,
On Fri, 4 Oct 2024 17:19:21 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
<jmm at inutil.org> wrote:
> CVE-2024-6485[1]:
> | A security vulnerability has been discovered in bootstrap that could
> | enable Cross-Site Scripting (XSS) attacks. The vulnerability is
> | associated with the data-loading-text attribute within the button
> | plugin. This vulnerability can be exploited by injecting malicious
> | JavaScript code into the attribute, which would then be executed
> | when the button's loading state is triggered.
>
> https://www.herodevs.com/vulnerability-directory/cve-2024-6485
Possible fix for CVE-2024-6485 (not CVE-2024-6484) in a bootstrap3 fork:
https://github.com/entreprise7pro/bootstrap/commit/769c032fd93d6f2c07599e096a736c5d09c041cf
(thanks Bastien for the pointer)
WDYT?
Cheers!
Sylvain Beucler
Debian LTS Team
More information about the Pkg-javascript-devel
mailing list