Cross-site Scripting (XSS)
Description
This affects versions before 1.19.1 of package bootstrap-table. A type confusion vulnerability can lead to a bypass of input sanitization when the input provided to the escapeHTML function is an array (instead of a string) even if the escape attribute is set.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Type confusion in bootstrap-table's escapeHTML function before version 1.19.1 allows XSS by passing an array instead of a string.
Vulnerability
Versions of bootstrap-table prior to 1.19.1 are vulnerable to Cross-site Scripting (XSS) due to a type confusion issue in the escapeHTML function [1]. When the input provided to escapeHTML is an array instead of a string, the sanitization is bypassed, even if the data-escape attribute is set to true [2]. The vulnerability exists in the utility function located in src/utils/index.js [1].
Exploitation
An attacker can exploit this vulnerability by supplying a JSON response via the data-url attribute where the affected field (e.g., name) contains an array of malicious HTML [2][3]. The PoC demonstrates setting data-escape="true" and providing a JSON object with an array value that includes a payload such as `` [2][3]. No additional authentication or user interaction is required beyond the victim accessing a page that loads the crafted JSON data into a bootstrap-table [2][3].
Impact
Successful exploitation allows an attacker to inject arbitrary JavaScript into the victim's browser context, leading to XSS. This could result in data theft, session hijacking, or other malicious actions performed in the context of the vulnerable web application [2][3].
Mitigation
The issue is fixed in bootstrap-table version 1.19.1 released on 22 September 2021 [2][3]. Users should upgrade to version 1.19.1 or later. There is no known workaround besides upgrading, as the type confusion is inherent to the sanitization logic [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bootstrap-tablenpm | <= 1.19.0 | — |
Affected products
3- bootstrap-table/bootstrap-tabledescription
- Range: <1.19.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-mw6q-98mp-g8g8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23472ghsaADVISORY
- github.com/wenzhixin/bootstrap-table/blob/develop/src/utils/index.js%23L218ghsax_refsource_MISCWEB
- security.snyk.io/vuln/SNYK-JS-BOOTSTRAPTABLE-1657597ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1910690ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1910689ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBWENZHIXIN-1910687ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1910688ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-BOOTSTRAPTABLE-1657597ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.