Bootstrap multiple vulnerabilities (#388)

reynhout · reedloden · commit 7b0b924a4a84 · 2019-04-22T16:02:59.000-07:00
* Add CVE-2018-14040 * Add CVE-2016-10735
diff --git a/gems/bootstrap-sass/CVE-2016-10735.yml b/gems/bootstrap-sass/CVE-2016-10735.yml
@@ -0,0 +1,20 @@
+---
+gem: bootstrap-sass
+cve: 2016-10735
+url: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
+title: XSS vulnerability via data-target in bootstrap-sass
+date: 2016-07-27
+
+description: |
+  In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2,
+  XSS is possible in the data-target attribute.
+
+cvss_v2: 4.3
+cvss_v3: 6.1
+
+patched_versions:
+  - '>= 3.4.0'
+
+related:
+  url:
+    - https://github.com/twbs/bootstrap/issues/20184
diff --git a/gems/bootstrap/CVE-2016-10735.yml b/gems/bootstrap/CVE-2016-10735.yml
@@ -0,0 +1,20 @@
+---
+gem: bootstrap
+cve: 2016-10735
+url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
+title: XSS vulnerability via data-target in bootstrap
+date: 2016-07-27
+
+description: |
+  In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2,
+  XSS is possible in the data-target attribute.
+
+cvss_v2: 4.3
+cvss_v3: 6.1
+
+patched_versions:
+  - '>= 4.0.0-beta.2'
+
+related:
+  url:
+    - https://github.com/twbs/bootstrap/issues/20184
diff --git a/gems/bootstrap/CVE-2018-14040.yml b/gems/bootstrap/CVE-2018-14040.yml
@@ -0,0 +1,24 @@
+---
+gem: bootstrap
+cve: 2018-14040
+url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
+title: XSS vulnerabilities via data-parent, data-target, data-container in bootstrap
+date: 2018-07-03
+
+description: |
+  In Bootstrap before 4.1.2, XSS is possible in collapse data-parent
+  attribute (CVE-2018-14040), data-target property of scrollspy
+  (CVE-2018-14041), data-container property of tooltip (CVE-2018-14042)
+
+cvss_v2: 4.3
+cvss_v3: 6.1
+
+patched_versions:
+  - '>= 4.1.2'
+
+related:
+  cve:
+    - 2018-14041
+    - 2018-14042
+  url:
+    - https://github.com/twbs/bootstrap/issues/26423
