Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

PGV-245118T - Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

Disclosed on July 11, 2024 (updated November 04, 2025)

Vulnerability Overview

PGV-245118T is a category 2 vulnerabilty that affects bootstrap, versions ≥ 1.4.0 & ≤ 3.4.1

Risk Assessment

The risk assessment shows that this vulnerability is exlpoited by a compromised user. A legitimate user who unknowingly triggers exploitation of this vulnerability through normal interaction.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage is caused by a denial of service (limited). Exploitation can degrade or intermittently disrupt application availability without causing a full outage.is caused by a data breach. Exploitation can result in full access to data within the system.is caused by data tampering (limited). Exploitation does not allow modification of data beyond what the user is already authorized to modify.

Vulnerability Details

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

Common Weakness Enumerations

  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Your Risk Profile
Network Exposure
External
Accessable from the public internet
Access Interface
WebBrowser
Primarily web-based applications
Service Outage
Disruptive
Operations would be impacted
Data Breach
Disruptive
Operations would be impacted
Data Tampering
Disruptive
Operations would be impacted
Customize
Additional Identifiers
  • CVE-2024-6485
  • GHSA-vxmc-5x29-h64v