Bootstrap 3.3.2, released on January 19, 2015, builds upon the established foundation of Bootstrap 3.3.1, which came out on November 12, 2014. While both versions share the same core description as the most popular front-end framework for responsive, mobile-first web development, several key dependency updates distinguish the two. Developers considering an upgrade should note these changes, as they can impact the build process and potentially introduce compatibility issues.
Specifically, several "devDependencies" experienced notable upgrades. For example, glob moved from ~4.0.6 to ~4.3.5, grunt-jscs from ~0.8.1 to ~1.2.0, and remarkable from ~1.4.0 to ~1.6.0. A substantial shift occurred with npm-shrinkwrap, transitioning from ~5.1.0 to ^200.0.0. The grunt-saucelabs devDependencies were also updated from ~8.3.2 to ~8.4.1 and also grunt-autoprefixer was updated from ~1.0.1 to ~2.1.0. grunt-contrib-less updated from ~0.12.0 to ~1.0.0 and grunt-contrib-cssmin from ~0.10.0 to ~0.11.0 and finally grunt-contrib-uglify from ~0.6.0 to ~0.7.0. These updated dependencies usually brought performance improvements, bug fixes, and new features within those specific tools. When upgrading, it's important to review the changelogs of these individual packages to understand the precise nature of the changes and ensure a smooth transition for your project. Both versions maintain the MIT license and the same repository, ensuring continuity in terms of licensing and source code availability.
All the vulnerabilities related to the version 3.3.2 of the package
XSS vulnerability that affects bootstrap
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Bootstrap vulnerable to Cross-Site Scripting (XSS)
In Bootstrap starting in version 2.3.0 and prior to 3.4.0, as well as 4.x before 4.1.2, XSS is possible in the collapse data-parent attribute.
Bootstrap Cross-site Scripting vulnerability
In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041.
See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.
Bootstrap Cross-site Scripting vulnerability
In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.
bootstrap Cross-site Scripting vulnerability
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Bootstrap Vulnerable to Cross-Site Scripting
Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.
For bootstrap 4.x upgrade to 4.3.1 or later.
For bootstrap 3.x upgrade to 3.4.1 or later.
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Bootstrap Cross-Site Scripting (XSS) vulnerability
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
