CVE-2024-6485

Publication date 11 July 2024

Last updated 5 June 2025


Ubuntu priority

Cvss 3 Severity Score

6.4 · Medium

Score breakdown

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

Status

Package Ubuntu Release Status
twitter-bootstrap3 25.04 plucky
Fixed 3.4.1+dfsg-3+deb12u1build0.25.04.1
24.10 oracular
Fixed 3.4.1+dfsg-3+deb12u1build0.24.10.1
24.04 LTS noble
Fixed 3.4.1+dfsg-3+deb12u1build0.24.04.1
22.04 LTS jammy
Fixed 3.4.1+dfsg-2+deb11u2build0.22.04.1
20.04 LTS focal
Fixed 3.4.1+dfsg-1ubuntu0.1~esm1
18.04 LTS bionic
Fixed 3.3.7+dfsg-2ubuntu0.1~esm1
16.04 LTS xenial
Fixed 3.3.6+dfsg-1ubuntu0.1~esm1

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Severity score breakdown

Parameter Value
Base score 6.4 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact Low
Availability impact Low
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L