CVE-2024-6484: 
JavaScript vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability has been identified in Bootstrap versions 3.2.0 through 3.4.1, specifically affecting the carousel component. The vulnerability was discovered and disclosed on July 11, 2024, and is tracked as CVE-2024-6484. The issue affects the Bootstrap framework's carousel component, which is widely used for developing responsive, mobile-first web sites and applications (HeroDevs Advisory, NVD).

The vulnerability exists in the carousel component where the data-slide and data-slide-to attributes can be exploited through the href attribute of an anchor tag due to inadequate sanitization. When an anchor element is used for carousel navigation with these attributes, the href attribute value is not properly sanitized. The issue occurs when the click event's preventDefault() is not applied and the href is evaluated and executed, leading to potential XSS exploitation. The vulnerability has received a CVSS v3.1 base score of 6.1 (Medium) from NIST and 6.4 (Medium) from HeroDevs (NVD).

If exploited, this vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser. The cross-site scripting vulnerability allows malicious scripts to be injected into otherwise benign and trusted websites, which could lead to unauthorized access to user data or perform actions on behalf of the user (HeroDevs Advisory).

Users of affected Bootstrap versions are advised to either migrate to a newer version of Bootstrap or leverage a commercial support partner for post-EOL security support. HeroDevs has released a patch in their Never-Ending Support (NES) version of Bootstrap 3 (bootstrap@3.4.5) that properly sanitizes href attributes, blocking the potential for XSS attacks through this vector (HeroDevs Advisory).