CVE Daily
← All tags

Tag: Bootstrap

All CVEs associated with "Bootstrap". Page 2/2 • 169 CVEs.

Subscribe CVEs: RSS for “Bootstrap”  ·  RSS (High+Critical only)

About “Bootstrap”

A curated feed of “Bootstrap”-related CVEs appears below. We currently track 169 CVEs for this tag (all time). In the last 365 days, 42 were published. Average CVSS is 6.7 (all time; 7.2 over 365d), and 38% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-346 - Origin Validation Error.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2021-04-27
Medium

CVE-2021-21365

Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-02-23
High

CVE-2021-20198

A flaw was found in the OpenShift Installer before version v0.9.0-master.0.20210125200451-95101da940b0. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned…

CVSS: 8.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2021-01-28
Medium

CVE-2020-36115

Stored Cross Site Scripting (XSS) vulnerability in EGavilan Media CRUD Operation with PHP, MySQL, Bootstrap, and Dompdf via First Name or Last Name parameter in the 'Add New Record Feature'.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-01-14
Medium

CVE-2020-29587

SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization o…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-12-07
Medium

CVE-2020-28727

Cross-site scripting (XSS) exists in SeedDMS 6.0.13 via the folderid parameter to views/bootstrap/class.DropFolderChooser.php.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-10-14
High

CVE-2020-15229

Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`,…

CVSS: 8.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-09-30
Medium

CVE-2019-20921

bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-09-03
Medium

CVE-2020-25093

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in blog.php. within application/views/templates/clothesshop, application/views/templates/onepage, and application/views/templates/redlabel.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-25092

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in _parts/header.php, within application/views/templates/clothesshop, application/views/templates/greenlabel, and application/views/templa…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-25091

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/vendor/views/add_product.php.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-25090

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/publish.php.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-25089

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/ecommerce/discounts.php.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-25088

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/blog/blogpublish.php.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-25087

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/advanced_settings/languages.php.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2020-25086

Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in application/modules/admin/views/advanced_settings/adminUsers.php.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-06-06
Medium

CVE-2020-13890

The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-02-10
High

CVE-2017-18641

In LXC 2.0, many template scripts download code over cleartext HTTP, and omit a digital-signature check, before running it to bootstrap containers.

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2020-01-27
High

CVE-2019-17095

A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the producti…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2019-17096

A OS Command Injection vulnerability in the bootstrap stage of Bitdefender BOX 2 allows the manipulation of the `get_image_url()` function in special circumstances to inject a system command.

CVSS: 9.0 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2019-11-05
Critical

CVE-2019-8121

An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Boo…

CVSS: 9.8 CWE: N/A View on NVD
2019-10-08
Medium

CVE-2019-10215

Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-10-02
Medium

CVE-2019-16116

EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash.

CVSS: 4.3 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2019-07-05
High

CVE-2019-13314

virt-bootstrap 1.1.0 allows local users to discover a root password by listing a process, because this password may be present in the --root-password option to virt_bootstrap.py.

CVSS: 7.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2019-04-04
Critical

CVE-2019-10842

Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2019-02-20
Medium

CVE-2019-8331

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-02-17
High

CVE-2019-7649

global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies on multiple MD5 operations for password hashing.

CVSS: 7.5 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2019-01-09
Medium

CVE-2018-20677

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-20676

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2016-10735

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-07-30
High

CVE-2018-14742

An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in set_field_one in bootstrap.c during a memcpy.

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
High

CVE-2018-14740

An issue was discovered in libpbc.a in cloudwu PBC through 2017-03-02. A SEGV can occur in set_field_one in bootstrap.c while making a query.

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2018-07-13
Medium

CVE-2018-14042

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-14041

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-14040

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-06-27
Critical

CVE-2018-12918

In libpbc.a in PBC through 2017-03-02, there is a Segmentation fault in _pbcB_register_fields in bootstrap.c.

CVSS: 9.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2017-10-30
High

CVE-2017-9450

The Amazon Web Services (AWS) CloudFormation bootstrap tools package (aka aws-cfn-bootstrap) before 1.4-19.10 allows local users to execute arbitrary code with root privileges by leveraging the abili…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2017-09-21
High

CVE-2015-8559

The knife bootstrap command in chef Infra client before version 15.4.45 leaks the validator.pem private RSA key to /var/log/messages.

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-08-13
High

CVE-2015-5685

The lazy_bdecode function in BitTorrent DHT bootstrap server (bootstrap-dht ) allows remote attackers to execute arbitrary code via a crafted packet, related to "improper indexing."

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2014-11-24
Medium

CVE-2014-7848

lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error mes…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-10-31
High

CVE-2014-8509

The lazy_bdecode function in BitTorrent bootstrap-dht (aka Bootstrap) allows remote attackers to execute arbitrary code via a crafted packet, which triggers an out-of-bounds read, related to "Imprope…

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2014-05-27
Low

CVE-2014-3840

Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2013-03-01
Low

CVE-2012-6116

modules/certs/manifests/config.pp in katello-configure before 1.3.3.pulpv2 in Katello uses weak permissions (666) for the Candlepin bootstrap RPM, which allows local users to modify the Candlepin CA…

CVSS: 2.1 CWE: CWE-264 View on NVD
2013-01-04
Medium

CVE-2012-0861

The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents…

CVSS: 6.8 CWE: CWE-310 View on NVD
Medium

CVE-2012-0860

Multiple untrusted search path vulnerabilities in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, allow local users to gain privileges via a Trojan horse (1) deploy…

CVSS: 6.2 CWE: N/A View on NVD
2012-05-21
Medium

CVE-2012-2922

The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installati…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2010-06-10
High

CVE-2010-1571

Directory traversal vulnerability in the bootstrap service in Cisco Unified Contact Center Express (UCCX) 7.0 before 7.0(1)SR4 and 7.0(2), unspecified 6.0 versions, and 5.0 before 5.0(2)SR3 allows re…

CVSS: 7.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2009-05-06
Medium

CVE-2009-1576

Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims i…

CVSS: 4.3 CWE: N/A View on NVD
2009-02-19
Critical

CVE-2008-6171

includes/bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the server is configured for "IP-based virtual hosts," allows remote attackers to include and execute arbitrary files via the…

CVSS: 9.3 CWE: CWE-16 View on NVD
2006-12-06
Medium

CVE-2006-6112

LifeType 1.0.x and 1.1.x have insufficient access control for all of the PHP scripts under (1) class/ and (2) plugins/, which allows remote attackers to obtain the installation path via a direct requ…

CVSS: 5.0 CWE: N/A View on NVD