| Vulnerability Name: | CVE-2018-14040 (CCN-146468) |
| Assigned: | 2018-05-29 |
| Published: | 2018-05-29 |
| Updated: | 2021-07-22 |
| Summary: | In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. |
| CVSS v3 Severity: | 6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None |
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None |
6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None |
|
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None |
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
| | Impact Metrics: | Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None |
|
| Vulnerability Type: | CWE-79
|
| Vulnerability Consequences: | Cross-Site Scripting |
| References: | Source: MITRE
Type: CNA
CVE-2018-14040
Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
Source: FULLDISC
Type: UNKNOWN
20190510 dotCMS v5.1.1 Vulnerabilities
Source: FULLDISC
Type: UNKNOWN
20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability
Source: FULLDISC
Type: UNKNOWN
20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability
Source: CCN
Type: Bootstrap Blog, 12 Jul 2018
Bootstrap 4.1.2
Source: MISC
Type: Vendor Advisory
https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
Source: XF
Type: UNKNOWN
bootstrap-cve201814040-xss(146468)
Source: MISC
Type: Issue Tracking, Third Party Advisory
https://github.com/twbs/bootstrap/issues/26423
Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://github.com/twbs/bootstrap/issues/26625
Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/twbs/bootstrap/pull/26630
Source: MLIST
Type: UNKNOWN
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
Source: MLIST
Type: UNKNOWN
[superset-dev] 20190926 Re: [VOTE] Release Superset 0.34.1 based on Superset 0.34.1rc1
Source: MLIST
Type: UNKNOWN
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities
Source: MLIST
Type: UNKNOWN
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities
Source: MLIST
Type: UNKNOWN
[hbase-issues] 20201116 [GitHub] [hbase] symat opened a new pull request #2661: HBASE-25261 Upgrade Bootstrap to 3.4.1
Source: MLIST
Type: UNKNOWN
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list
Source: MLIST
Type: Third Party Advisory
[debian-lts-announce] 20180827 [SECURITY] [DLA 1479-1] twitter-bootstrap3 security update
Source: BUGTRAQ
Type: UNKNOWN
20190509 dotCMS v5.1.1 Vulnerabilities
Source: CCN
Type: IBM Security Bulletin 880955 (API Connect)
API Connect V5 is impacted by vulnerabilities in Bootstrap (CVE-2018-14040 CVE-2018-14041 CVE-2018-14042)
Source: CCN
Type: IBM Security Bulletin 6336361 (Security Secret Server)
Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Vault previously known as IBM Security Secret Server
Source: CCN
Type: IBM Security Bulletin 6382126 (Netezza for Cloud Pak for Data)
OSS scan fixes for Content pos
Source: CCN
Type: IBM Security Bulletin 6455993 (Rational License Key Server)
IBM License Key Server Administration and Reporting Tool is impacted by multiple vulnerabilities in jQuery, Bootstrap and AngularJS
Source: CCN
Type: IBM Security Bulletin 6520510 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)
Source: CCN
Type: IBM Security Bulletin 6570957 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6980757 (Maximo Asset Management)
There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management
Source: CCN
Type: IBM Security Bulletin 6984699 (MobileFirst Foundation)
Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform
Source: CCN
Type: IBM Security Bulletin 6985609 (Engineering Workflow Management)
IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203
Source: CCN
Type: IBM Security Bulletin 6991577 (Edge Application Manager)
Open Source Dependency Vulnerability
Source: CCN
Type: IBM Security Bulletin 7001347 (Business Automation Workflow containers)
Multiple security vulnerabilities in bootstrap.js may affect IBM Business Automation Workflow
Source: MISC
Type: UNKNOWN
https://www.oracle.com/security-alerts/cpuApr2021.html
|
| Vulnerable Configuration: | Configuration 1:
cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Configuration 2:
cpe:/a:getbootstrap:bootstrap:4.0.0:alpha5:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:4.0.0:alpha6:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:4.0.0:beta:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:4.0.0:alpha3:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:4.0.0:alpha4:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* (Version < 3.4.0)OR cpe:/a:getbootstrap:bootstrap:*:*:*:*:*:*:*:* (Version >= 4.0.0 and < 4.1.2)OR cpe:/a:getbootstrap:bootstrap:4.0.0:beta2:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:4.0.0:beta3:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:4.0.0:alpha:*:*:*:*:*:*OR cpe:/a:getbootstrap:bootstrap:4.0.0:alpha2:*:*:*:*:*:*
Configuration RedHat 1:
cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*
Configuration RedHat 2:
cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*
Configuration RedHat 3:
cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*
Configuration RedHat 4:
cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*
Configuration RedHat 5:
cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*
Configuration RedHat 6:
cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
Configuration RedHat 7:
cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*
Configuration CCN 1:
cpe:/a:getbootstrap:bootstrap:4.1.1:*:*:*:*:*:*:*AND cpe:/a:ibm:api_connect:5.0.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:api_connect:5.0.8.5:*:*:*:*:*:*:*OR cpe:/a:ibm:rational_license_key_server:8.1.6:*:*:*:*:*:*:*OR cpe:/a:ibm:security_secret_server:10.8:*:*:*:*:*:*:*OR cpe:/a:ibm:rational_license_key_server:8.1.6.2:*:*:*:*:*:*:*OR cpe:/a:ibm:rational_license_key_server:8.1.6.1:*:*:*:*:*:*:*OR cpe:/a:ibm:rational_license_key_server:8.1.6.3:*:*:*:*:*:*:*OR cpe:/a:ibm:rational_license_key_server:8.1.6.4:*:*:*:*:*:*:*OR cpe:/a:ibm:rational_license_key_server:8.1.6.5:*:*:*:*:*:*:*OR cpe:/a:ibm:engineering_workflow_management:7.0.1:*:*:*:*:*:*:*OR cpe:/a:ibm:engineering_workflow_management:7.0.2:*:*:*:*:*:*:*OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:-:*:*:containers:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:-:*:*:containers:*:*:*OR cpe:/a:ibm:business_automation_workflow:21.0.3:-:*:*:containers:*:*:*OR cpe:/a:ibm:maximo_asset_management:7.6.1.2:*:*:*:*:*:*:*OR cpe:/a:ibm:business_automation_workflow:21.0.2:-:*:*:containers:*:*:*OR cpe:/a:ibm:business_automation_workflow:22.0.1:-:*:*:containers:*:*:*OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:21.0.3.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:22.0.2:-:*:*:containers:*:*:*OR cpe:/a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:*
 Denotes that component is vulnerable |
| Oval Definitions |
|
| BACK |
debian debian linux 8.0
getbootstrap bootstrap 4.0.0 alpha5
getbootstrap bootstrap 4.0.0 alpha6
getbootstrap bootstrap 4.0.0 beta
getbootstrap bootstrap 4.0.0 alpha3
getbootstrap bootstrap 4.0.0 alpha4
getbootstrap bootstrap *
getbootstrap bootstrap *
getbootstrap bootstrap 4.0.0 beta2
getbootstrap bootstrap 4.0.0 beta3
getbootstrap bootstrap 4.0.0 alpha
getbootstrap bootstrap 4.0.0 alpha2
getbootstrap bootstrap 4.1.1
ibm api connect 5.0.0.0
ibm api connect 5.0.8.5
ibm rational license key server 8.1.6
ibm security secret server 10.8
ibm rational license key server 8.1.6.2
ibm rational license key server 8.1.6.1
ibm rational license key server 8.1.6.3
ibm rational license key server 8.1.6.4
ibm rational license key server 8.1.6.5
ibm engineering workflow management 7.0.1
ibm engineering workflow management 7.0.2
ibm cognos analytics 11.2.0
ibm cognos analytics 11.1.7
ibm cognos analytics 11.2.1
ibm business automation workflow 20.0.0.1 -
ibm business automation workflow 20.0.0.1
ibm business automation workflow 20.0.0.2
ibm business automation workflow 21.0.1
ibm business automation workflow 20.0.0.2 -
ibm business automation workflow 21.0.3 -
ibm maximo asset management 7.6.1.2
ibm business automation workflow 21.0.2 -
ibm business automation workflow 22.0.1 -
ibm business automation workflow 22.0.1
ibm business automation workflow 21.0.3.1
ibm business automation workflow 22.0.2 -
ibm business automation workflow 22.0.2