Skip to content

Cross-Site Scripting in bootstrap-select

High severity GitHub Reviewed Published Sep 3, 2020 • Updated Oct 4, 2021

Package

npm bootstrap-select (npm)

Affected versions

< 1.13.6

Patched versions

1.13.6

Description

Versions of bootstrap-select prior to 1.13.6 are vulnerable to Cross-Site Scripting (XSS). The package does not escape title values on <option> tags. This may allow attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 1.13.6 or later.

References

GHSA ID

GHSA-9r7h-6639-v5mw