DRUPAL-CONTRIB-2018-074

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/bootstrap/DRUPAL-CONTRIB-2018-074.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2018-074

Published

2018-11-28T17:32:56Z

Modified

2025-12-10T23:33:32.091515Z

Summary

[none]

Details

This base theme bridges the gap between Drupal and the Bootstrap Framework.

The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips.

This vulnerability is mitigated by the fact that an attacker must already have the ability to either:

Edit/save custom content that supplies a value for the data-target attribute by injecting malicious code.
Inject custom markup onto the page that further exploits the data-target attribute by injecting malicious code. This method of attack is highly unlikely if they already have this level of access.

Note: while the base-theme does not provide either of these opportunities to do this out-of-the-box; a custom sub-theme may, however, be susceptible if it didn't sanitize or filter user provided input for XSS properly.

References

https://www.drupal.org/sa-contrib-2018-074

Credits

- Gomez_in_the_South
- - https://www.drupal.org/user/153735

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/bootstrap

Package

Name: drupal/bootstrap
Purl: pkg:composer/drupal/bootstrap

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.14.0

Database specific

{
    "constraint": "<3.14.0"
}

Database specific

affected_versions

"<3.14.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/bootstrap/DRUPAL-CONTRIB-2018-074.json"