- Release Date: May 7, 2019
- Component Type: Bootstrap CSS toolkit (bundled in TYPO3 core package, ext:core)
- Impact: Cross-Site Scripting, Known Vulnerability
- Affected Versions: all Bootstrap versions before 3.4.1, 4.3.0
- CVE: CVE-2019-8331
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, cross-site scripting is possible in the tooltip or popover data-template attribute.
An official fix has been released with Bootstrap versions 3.4.1 and 4.3.1, see blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ for details.
Update to TYPO3 versions 8.7.25 or 9.5.6 that fix the problem described.
Extension authors bundling Bootstrap versions with their source code are advised to upgrade or patch those vulnerable versions accordingly.