CVE-2024-6531 - Vulnerability Details

A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Getbootstrap	Bootstrap

No data.

References

No reference.

History

Fri, 01 Aug 2025 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-79
CPEs	cpe:2.3:a:getbootstrap:bootstrap:::::::: cpe:2.3:o:debian:debian_linux:11.0:::::::*
Vendors & Products	Debian Debian debian Linux Getbootstrap Getbootstrap bootstrap
References	https://lists.debian.org/debian-lts-announce/2025/04/msg00021.html https://www.herodevs.com/vulnerability-directory/cve-2024-6531
Metrics	cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L'}`

Fri, 01 Aug 2025 18:15:00 +0000

Type	Values Removed	Values Added
Title	XSS in Bootstrap carousel component
CPEs	cpe:2.3:a:getbootstrap:bootstrap:4.0.0:-::::::
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 Aug 2025 17:30:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.	This was not a security issue in Bootstrap. Bootstrap’s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior fell outside the scope of Bootstrap’s security model, and the associated CVE has been rescinded.

Fri, 16 May 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux
CPEs		cpe:2.3:a:getbootstrap:bootstrap:::::::: cpe:2.3:o:debian:debian_linux:11.0:::::::*
Vendors & Products		Debian Debian debian Linux

Sun, 13 Apr 2025 17:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/04/msg00021.html

Sun, 13 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getbootstrap Getbootstrap bootstrap
CPEs		cpe:2.3:a:getbootstrap:bootstrap:4.0.0:-::::::
Vendors & Products		Getbootstrap Getbootstrap bootstrap
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: REJECTED

Assigner: HeroDevs

Published: 2024-07-11T17:15:57.820Z

Updated: 2025-08-01T17:12:55.431Z

Reserved: 2024-07-05T13:56:42.257Z

Link: CVE-2024-6531

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2024-07-11T18:15:06.207

Modified: 2025-08-01T18:15:31.217

Link: CVE-2024-6531

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object