twitter-bootstrap-rails 5.0.0
twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS)
medium severity CVE-2019-8331The seyhunak/twitter-bootstrap-rails gem includes a vendored version of the Bootstrap JavaScript library.
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. All versions of this gem are affected.
Workarounds
Until this gem is updated to use Bootstrap v3.4.1, users can replace it
with the official Twitter-maintained gems, bootstrap-sass
(version 3.4.1)
or bootstrap
(bootstrap 4 and 5).
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.