CVE-2024-6531 - A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks

[hashaghate]

Hi All,

In our ASP.NET application, we are using Bootstrap version 5.3.1
But NexusScan flagged out vulnerability CVE-2024-6531 and recommendation is given as
"There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control."

Please share your thoughs and suggestions on how to fix this.

[julien-deramond]

Hi @hashaghate
CVE-2024-6531, where the details are at https://www.herodevs.com/vulnerability-directory/cve-2024-6531, affects Bootstrap >=4.0.0 <=4.6.2.
You're using Bootstrap version 5.3.1, so you're not concerned by this CVE.

[julien-deramond]

At first, on SNYK, it was flagged out as Bootstrap * (all versions), but this was a mistake. IDK if that's the case for NexusScan. TBH, I don't know exactly how it works. But I'm sure that the recent CVEs published in July (except if their content changes at some point), don't affect Bootstrap 5. The corresponding versions can be found each time in the Hero Devs links.

[hashaghate]

@julien-deramond Thanks for your reply. That’s very useful information.
Could you please share link where it’s mentioned that it was a mistake when it was flagged out for Bootstrap versions for reference purpose.

[julien-deramond]

It was there: https://security.snyk.io/package/npm/bootstrap. But not visible anymore as the right affected versions are now mentioned

[biomedia-thomas]

But I'm sure that the recent CVEs published in July (except if their content change at some point), don't affect Bootstrap 5. The corresponding versions can be found each time in the Hero Devs links.

Could you maybe explain why version 5 isn't affected? CVE-2024-6531 and CVE-2024-6484 are pretty much the same issue but it doesn't seem very different in 5. If I modify the proof of concept to bootstrap 5.3.3 and update some classnames with -bs- it still shows the 'XSS' alert:
https://codepen.io/bmthomas/pen/YzoQBdM

I'm having a hard time viewing these CVE's as XSS, the actual issue seems to be "preventDefault not called on links with data-(bs-)slide with malformed href attributes". Calling this XSS by assuming the href attribute has already been compromised seems a bit far fetched and would be an issue even without bootstrap. Bootstrap doesn't actually evaluate the href, it's just not preventing you from click-activating it. But maybe I'm missing something crucial since there are no public patches for this issue.

[julien-deramond]

Our security team is evaluating the impact on v5 based on the recent CVEs. For now, v5 is considered as not impacted.

[jo3h]

I don't mean to necro bump the discussion but this seems to be the most appropriate location to share my research into this CVE. This has been bugging me for quite a while now as it has been appearing in the software composition analysis (NexusIQ) scans.

The existing Bootstrap source code (v3/v4/v5) already checks if the value in the "href" or "data-target" ("data-bs-target" for v5) attribute points to a target with the carousel class. And if so, blocks the click event from propagating further. And if not, returns the event back to the browser.

Reviewing the PoC code as seen at https://www.herodevs.com/vulnerability-directory/cve-2024-6484?bootstrap-nes

It is not setup correctly to either use href="#myCarousel" or data-target="#myCarousel" to point to an element with the carousel class.

If you add data-target="#myCarousel" to the PoC at https://codepen.io/Trey-McCallie/pen/NWZKERe as follows, then the XSS won't be triggered and the carousel moves to the previous slide as expected

<a
    href="javascript:alert('XSS href')"
    data-target="#myCarousel"
    class="left"
    role="button"
    data-slide="prev"
  >
    Previous (XSS)
</a>

Blocking all the <a> tags that has the "data-slide" or "data-slide-to" attribute isn't a good idea as we cannot be entirely sure the attributes will be exclusively written for use by Bootstrap. This could cause legitimate click actions on elements with 'data-slide' or 'data-slide-to' attributes that are not meant for bootstrap carousel to be dropped and not processed by the browser.

By returning the legitimate click actions back to the browser to process seems to be the most graceful approach to not break anything.

Why is this an issue in the first place?

[aavorthmann]

Hey there @jo3h ! My name is Allison and I am an Engineering Manager at HeroDevs -- this thread was brought to our attention and I just wanted to let you know I am following up internally and working to make sure we can get you a response from our side.