CVE-2024-6485: 
JavaScript vulnerability analysis and mitigation

A security vulnerability (CVE-2024-6485) has been discovered in Bootstrap versions >=1.4.0 <=3.4.1 that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin, which can be exploited by injecting malicious JavaScript code into the attribute that would then be executed when the button's loading state is triggered (HeroDevs, NVD).

The vulnerability exists in the Bootstrap Button component where the data-*-text attributes (e.g., data-complete-text) associated with a button's state feature lack proper content sanitization. This allows unrestricted HTML content to be shown inside the button, potentially leading to malicious script injection. The issue has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (HeroDevs).

The vulnerability can result in the injection of malicious scripts (XSS) that may lead to the exfiltration of sensitive data to remote servers. This is particularly concerning when a button binds its data attribute to URL parameters or input fields, allowing attackers to inject and execute malicious code (HeroDevs).

Since Bootstrap 3 has reached End-of-Life, users should either migrate to a newer version of Bootstrap or leverage a commercial support partner for post-EOL security support. HeroDevs has provided a patch in their Never-Ending Support (NES) version of Bootstrap 3 (bootstrap@3.4.5) that properly sanitizes data attributes to block potential XSS attacks through this vector (HeroDevs).