Vulnerable version of bootstrap 4 provided #280
Description
Today I generated a rails app with bootstrap 4.
But github says I'm vulnerable to XSS attacks.
1 bootstrap vulnerability found in Gemfile.lock 3 minutes ago
Remediation
Upgrade bootstrap to version 4.1.2 or later. For example:
gem "bootstrap", ">= 4.1.2"
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2018-14042 More information
moderate severity
Vulnerable versions: < 4.1.2
Patched version: 4.1.2
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.