Bootstrap has released versions 4.3.1 and 3.4.1 to patch an XSS vulnerability (CVE-2019-8331) that was reported to the Bootstrap Drupal project by a developer and then responsibly disclosed to the Bootstrap development team. The vulnerability specifically affects usage of the tooltip and popover features:
Earlier this week a developer reported an XSS issue similar to the data-target vulnerability that was fixed in v4.1.2 and v3.4.0: the data-template attribute for our tooltip and popover plugins lacked proper XSS sanitization of the HTML that can be passed into the attribute’s value.
According to data from BuiltWith, Bootstrap is used by approximately 16% of the internet. It is also used widely among WordPress plugins. There are hundreds of listings in the WordPress.org Plugin Directory that implement Bootstrap in one way or another. Many of them have not been updated for mon » Read More