You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@jmeter.apache.org by "Centinaro, Gabriele" <Ga...@nuance.com.INVALID> on 2022/08/29 13:01:37 UTC

Vulnerability in bootstrap

Hi,

Our security team has flagged a vulnerability in the file apache-jmeter\bin\report-template\sbadmin2-1.0.7\bower_components\bootstrap\dist\js\bootstrap.min.js
The latest JMeter version 5.5 still uses the same version of bootstrap (3.3.7), any way this can be updated to the latest version 5.2.0?

Vulnerability info:

  *   CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
     *   In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
     *   In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
     *   In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
     *   In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
     *   In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.