CVE-2023-46998

Vulnerability

Description

CVE-2023-46998 describes a Cross-Site Scripting (XSS) vulnerability in Bootbox.js, a library that wraps JavaScript's native alert(), confirm(), and prompt() functions with Bootstrap-styled dialogs [1]. The issue affects versions 3.2 through 6.0 and arises because the internal implementation uses jQuery's .html() method (and similar DOM manipulation functions) to insert user-provided content into dialog elements without proper sanitization [4]. This allows an attacker to inject arbitrary HTML and JavaScript code into the page's DOM.

Attack

Vector and Requirements

An attacker can exploit this vulnerability by crafting a payload (e.g., `) and passing it as input to any of the vulnerable functions — alert(), confirm(), or prompt()` [3]. Successful exploitation requires user interaction, such as clicking a button or submitting a form that triggers a Bootbox dialog with attacker-controlled content. The attack can be performed remotely without authentication, provided the victim visits a page that uses Bootbox.js with unsanitized input [1][3].

Impact

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim's browser session. The CVSS v3.1 base score is 5.4 (Medium) with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact but the ability to perform actions on behalf of the user and potentially steal session tokens or deface the page [3]. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) [3].

Mitigation

Status

As of the latest release (6.0.4), the vendor has not patched the underlying XSS vector [2]. The issue was first reported in 2018 and flagged in GitHub issue #661, where the maintainers discussed two approaches: sanitizing input within the library itself or documenting the risk and requiring developers to sanitize user data before passing it to Bootbox functions [4]. Currently, the library's documentation does not explicitly warn about this risk, so developers using Bootbox.js must manually sanitize any untrusted input or consider switching to a more secure dialog library [2][4].