[Bug 1940450] Re: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

Seth Arnold 1940450 at bugs.launchpad.net
Wed Aug 25 02:23:27 UTC 2021 

I inspected some of the python3-xstatic-bootstrap-scss package:

./python-xstatic-bootstrap-
scss_3.3.7.1-5/xstatic/pkg/bootstrap_scss/data/js/bootstrap/tooltip.js

While the header sure looks related, I couldn't find *any* hints that
the patch from
https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0
is remotely related. If they are related, that file has changed pretty
drastically in the meantime.

Jeremy, can I ask, how confident you are that that package contains a
version of the bootstrap tooltips that needs to be updated to address
this flaw? (I only found one user of this package, python3-vitrage-
dashboard -- with just one user, it might also justify a similar "is
this even an issue?" sort of check.)

Thanks

** Also affects: python-xstatic-bootstrap-scss (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: horizon (Ubuntu)
   Importance: Undecided
       Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1940450

Title:
  XSS The data-template attribute of the tooltip and popover plugins
  lacks input sanitization and may allow attacker to execute arbitrary
  JavaScript.

Status in Ubuntu Cloud Archive:
  New
Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  Invalid
Status in horizon package in Ubuntu:
  New
Status in python-xstatic-bootstrap-scss package in Ubuntu:
  New

Bug description:
  The data-template attribute of the tooltip and popover plugins lacks
  input sanitization and may allow attacker to execute arbitrary
  JavaScript.

  github source: https://github.com/twbs/bootstrap/pull/28236
  github upstream MR: https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0
  ubuntu-cve https://ubuntu.com/security/CVE-2019-8331

  openstack-dashboard,from xenial UCA, python-django-horizon version 13.0.2-0ubuntu3~cloud0
  `pull-uca-source python-django-horizon 3:13.0.2-0ubuntu3~cloud0`

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list