CVE-2024-6485: Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

July 11, 2024 (updated November 18, 2024)

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button’s loading state is triggered.

References

github.com/advisories/GHSA-vxmc-5x29-h64v
github.com/twbs/bootstrap
nvd.nist.gov/vuln/detail/CVE-2024-6485
www.herodevs.com/vulnerability-directory/cve-2024-6485

Code Behaviors & Features

Detect and mitigate CVE-2024-6485 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →