From 8799dbaf249c348c5de6454d7228ca4f632a0b00 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Sat, 3 Aug 2024 02:22:48 +0000
Subject: [PATCH] Updated advisory posts against
rubysec/ruby-advisory-db@446f848
---
.../_posts/2016-07-27-CVE-2016-10735.md | 1 +
.../_posts/2019-01-17-CVE-2018-20676.md | 38 ++++++++++++++++++
.../_posts/2019-01-17-CVE-2018-20677.md | 39 +++++++++++++++++++
advisories/_posts/2024-07-11-CVE-2024-6484.md | 31 +++++++++++++++
advisories/_posts/2024-07-11-CVE-2024-6531.md | 31 +++++++++++++++
.../_posts/2024-08-01-CVE-2024-41123.md | 2 +
6 files changed, 142 insertions(+)
create mode 100644 advisories/_posts/2019-01-17-CVE-2018-20676.md
create mode 100644 advisories/_posts/2019-01-17-CVE-2018-20677.md
create mode 100644 advisories/_posts/2024-07-11-CVE-2024-6484.md
create mode 100644 advisories/_posts/2024-07-11-CVE-2024-6531.md
diff --git a/advisories/_posts/2016-07-27-CVE-2016-10735.md b/advisories/_posts/2016-07-27-CVE-2016-10735.md
index 641fd2b..5fd4d1e 100644
--- a/advisories/_posts/2016-07-27-CVE-2016-10735.md
+++ b/advisories/_posts/2016-07-27-CVE-2016-10735.md
@@ -7,6 +7,7 @@ categories:
advisory:
gem: bootstrap
cve: 2016-10735
+ ghsa: 4p24-vmcr-4gqj
url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
title: XSS vulnerability via data-target in bootstrap
date: 2016-07-27
diff --git a/advisories/_posts/2019-01-17-CVE-2018-20676.md b/advisories/_posts/2019-01-17-CVE-2018-20676.md
new file mode 100644
index 0000000..b123a97
--- /dev/null
+++ b/advisories/_posts/2019-01-17-CVE-2018-20676.md
@@ -0,0 +1,38 @@
+---
+layout: advisory
+title: 'CVE-2018-20676 (bootstrap): XSS vulnerability that affects bootstrap'
+comments: false
+categories:
+- bootstrap
+advisory:
+ gem: bootstrap
+ cve: 2018-20676
+ ghsa: 3mgp-fx93-9xv5
+ url: https://github.com/advisories/GHSA-3mgp-fx93-9xv5
+ title: XSS vulnerability that affects bootstrap
+ date: 2019-01-17
+ description: |
+ In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport
+ attribute.
+ cvss_v2: 4.3
+ cvss_v3: 6.1
+ patched_versions:
+ - ">= 3.4.0"
+ related:
+ url:
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-20676
+ - https://github.com/twbs/bootstrap/issues/27044
+ - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
+ - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628
+ - https://github.com/twbs/bootstrap/pull/27047
+ - https://access.redhat.com/errata/RHBA-2019:1076
+ - https://access.redhat.com/errata/RHBA-2019:1570
+ - https://access.redhat.com/errata/RHSA-2019:1456
+ - https://access.redhat.com/errata/RHSA-2019:3023
+ - https://access.redhat.com/errata/RHSA-2020:0132
+ - https://access.redhat.com/errata/RHSA-2020:0133
+ - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@
+ - https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d
+ - https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0
+ - https://github.com/advisories/GHSA-3mgp-fx93-9xv5
+---
diff --git a/advisories/_posts/2019-01-17-CVE-2018-20677.md b/advisories/_posts/2019-01-17-CVE-2018-20677.md
new file mode 100644
index 0000000..31ed69f
--- /dev/null
+++ b/advisories/_posts/2019-01-17-CVE-2018-20677.md
@@ -0,0 +1,39 @@
+---
+layout: advisory
+title: 'CVE-2018-20677 (bootstrap): bootstrap Cross-site Scripting vulnerability'
+comments: false
+categories:
+- bootstrap
+advisory:
+ gem: bootstrap
+ cve: 2018-20677
+ ghsa: ph58-4vrj-w6hr
+ url: https://github.com/advisories/GHSA-ph58-4vrj-w6hr
+ title: bootstrap Cross-site Scripting vulnerability
+ date: 2019-01-17
+ description: |
+ In Bootstrap before 3.4.0, XSS is possible in the affix
+ configuration target property.
+ cvss_v2: 4.3
+ cvss_v3: 6.1
+ patched_versions:
+ - ">= 3.4.0"
+ related:
+ url:
+ - https://nvd.nist.gov/vuln/detail/CVE-2018-20677
+ - https://github.com/twbs/bootstrap/issues/27045
+ - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906
+ - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628
+ - https://github.com/twbs/bootstrap/pull/27047
+ - https://access.redhat.com/errata/RHBA-2019:1076
+ - https://access.redhat.com/errata/RHBA-2019:1570
+ - https://access.redhat.com/errata/RHSA-2019:1456
+ - https://access.redhat.com/errata/RHSA-2019:3023
+ - https://access.redhat.com/errata/RHSA-2020:0132
+ - https://access.redhat.com/errata/RHSA-2020:0133
+ - https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@
+ - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@
+ - https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d
+ - https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0
+ - https://github.com/advisories/GHSA-ph58-4vrj-w6hr
+---
diff --git a/advisories/_posts/2024-07-11-CVE-2024-6484.md b/advisories/_posts/2024-07-11-CVE-2024-6484.md
new file mode 100644
index 0000000..e34d3e5
--- /dev/null
+++ b/advisories/_posts/2024-07-11-CVE-2024-6484.md
@@ -0,0 +1,31 @@
+---
+layout: advisory
+title: 'CVE-2024-6484 (bootstrap): Bootstrap Cross-Site Scripting (XSS) vulnerability'
+comments: false
+categories:
+- bootstrap
+advisory:
+ gem: bootstrap
+ cve: 2024-6484
+ ghsa: 9mvj-f7w8-pvh2
+ url: https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
+ title: Bootstrap Cross-Site Scripting (XSS) vulnerability
+ date: 2024-07-11
+ description: |
+ A vulnerability has been identified in Bootstrap that exposes users
+ to Cross-Site Scripting (XSS) attacks. The issue is present in the
+ carousel component, where the data-slide and data-slide-to attributes
+ can be exploited through the href attribute of an tag due to
+ inadequate sanitization. This vulnerability could potentially enable
+ attackers to execute arbitrary JavaScript within the victim's browser.
+ cvss_v3: 6.4
+ unaffected_versions:
+ - "< 2.0.0"
+ patched_versions:
+ - "> 3.4.1"
+ related:
+ url:
+ - https://nvd.nist.gov/vuln/detail/CVE-2024-6484
+ - https://www.herodevs.com/vulnerability-directory/cve-2024-6484
+ - https://github.com/advisories/GHSA-9mvj-f7w8-pvh2
+---
diff --git a/advisories/_posts/2024-07-11-CVE-2024-6531.md b/advisories/_posts/2024-07-11-CVE-2024-6531.md
new file mode 100644
index 0000000..84ffca7
--- /dev/null
+++ b/advisories/_posts/2024-07-11-CVE-2024-6531.md
@@ -0,0 +1,31 @@
+---
+layout: advisory
+title: 'CVE-2024-6531 (bootstrap): Bootstrap Cross-Site Scripting (XSS) vulnerability'
+comments: false
+categories:
+- bootstrap
+advisory:
+ gem: bootstrap
+ cve: 2024-6531
+ ghsa: vc8w-jr9v-vj7f
+ url: https://github.com/advisories/GHSA-vc8w-jr9v-vj7f
+ title: Bootstrap Cross-Site Scripting (XSS) vulnerability
+ date: 2024-07-11
+ description: |
+ A vulnerability has been identified in Bootstrap that exposes users
+ to Cross-Site Scripting (XSS) attacks. The issue is present in the
+ carousel component, where the data-slide and data-slide-to attributes
+ can be exploited through the href attribute of an tag due to
+ inadequate sanitization. This vulnerability could potentially enable
+ attackers to execute arbitrary JavaScript within the victim's browser.
+ cvss_v3: 6.4
+ unaffected_versions:
+ - "< 4.0.0"
+ patched_versions:
+ - "> 4.6.2"
+ related:
+ url:
+ - https://nvd.nist.gov/vuln/detail/CVE-2024-6531
+ - https://www.herodevs.com/vulnerability-directory/cve-2024-6531
+ - https://github.com/advisories/GHSA-vc8w-jr9v-vj7f
+---
diff --git a/advisories/_posts/2024-08-01-CVE-2024-41123.md b/advisories/_posts/2024-08-01-CVE-2024-41123.md
index 69c7a51..f26e473 100644
--- a/advisories/_posts/2024-08-01-CVE-2024-41123.md
+++ b/advisories/_posts/2024-08-01-CVE-2024-41123.md
@@ -7,6 +7,7 @@ categories:
advisory:
gem: rexml
cve: 2024-41123
+ ghsa: r55c-59qm-vjw6
url: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123
title: DoS vulnerabilities in REXML
date: 2024-08-01
@@ -33,6 +34,7 @@ advisory:
## History
Originally published at 2024-08-01 03:00:00 (UTC)
+ cvss_v3: 5.3
patched_versions:
- ">= 3.3.3"
related: