VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 13, 2018· Updated Aug 5, 2024

CVE-2018-14041

CVE-2018-14041

Description

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in Bootstrap's scrollspy component before 4.1.2 via the data-target property.

Vulnerability

Bootstrap versions before 4.1.2 are susceptible to a cross-site scripting (XSS) vulnerability in the scrollspy component. The bug resides in the handling of the data-target attribute, which can be manipulated to inject arbitrary JavaScript. [1]

Exploitation

An attacker can exploit this by providing a crafted data-target value that includes malicious script code. The vulnerability does not require authentication; it can be triggered via user interaction such as visiting a page that uses the vulnerable scrollspy behavior. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to potential session hijacking, defacement, or theft of sensitive data. [1]

Mitigation

The issue is fixed in Bootstrap version 4.1.2. Users should upgrade to this version or later. No other workarounds are mentioned. [1][4]

References
  1. NVD - CVE-2018-14041
  2. GitHub - twbs/bootstrap: The most popular HTML, CSS, and JavaScript framework for developing responsive, mobile first projects on the web.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
bootstrapnpm
>= 4.0.0, < 4.1.24.1.2
typo3/cms-corePackagist
>= 8.0.0, < 8.7.238.7.23
typo3/cms-corePackagist
>= 9.0.0, < 9.5.49.5.4
typo3/cmsPackagist
>= 8.0.0, < 8.7.238.7.23
typo3/cmsPackagist
>= 9.0.0, < 9.5.49.5.4
bootstrapRubyGems
>= 4.0.0, < 4.1.24.1.2
twbs/bootstrapPackagist
>= 4.0.0, < 4.1.24.1.2
bootstrapNuGet
>= 4.0.0, < 4.1.24.1.2
bootstrap.sassNuGet
>= 4.0.0, < 4.1.24.1.2
org.webjars:bootstrapMaven
>= 4.0.0, < 4.1.24.1.2

Affected products

8

Patches

2
1f46337a89ed

Update README.md

https://github.com/twbs/bootstrapMark OttoJul 12, 2018via osv
commit
1 file changed · +1 1
  • README.md+1 1 modified
    @@ -49,7 +49,7 @@ Several quick start options are available:
 - Install with [Composer](https://getcomposer.org/): `composer require twbs/bootstrap:4.1.2`
 - Install with [NuGet](https://www.nuget.org/): CSS: `Install-Package bootstrap` Sass: `Install-Package bootstrap.sass`
 
-Read the [Getting started page](https://getbootstrap.com/docs/4.0/getting-started/introduction/) for information on the framework contents, templates and examples, and more.
+Read the [Getting started page](https://getbootstrap.com/docs/4.1/getting-started/introduction/) for information on the framework contents, templates and examples, and more.
 
 ## Status
cc61edfa8af7

fix(scrollspy): xss in target option

https://github.com/twbs/bootstrapJohann-SMay 30, 2018via osv
commitPR #26630
1 file changed · +1 1
  • js/src/scrollspy.js+1 1 modified
    @@ -115,7 +115,7 @@ const ScrollSpy = (($) => {
 
       this._scrollHeight = this._getScrollHeight()
 
-      const targets = $.makeArray($(this._selector))
+      const targets = $.makeArray(document.querySelectorAll(this._selector))
 
       targets
         .map((element) => {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

29

News mentions

0

No linked articles in our index yet.