CVE-2024-6531: 
JavaScript vulnerability analysis and mitigation

A vulnerability (CVE-2024-6531) has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue was discovered in the carousel component of Bootstrap versions 4.0.0 through 4.6.2, and was disclosed on July 11, 2024. The vulnerability affects the data-slide and data-slide-to attributes which can be exploited through the href attribute of an anchor tag due to inadequate sanitization (HeroDevs).

The vulnerability occurs when an anchor element used for carousel navigation with a data-slide attribute contains an href attribute value that is not properly sanitized. The issue arises from improper extraction of the intended target carousel's #id from the href attribute, which can lead to cases where the click event's preventDefault() is not applied and the href is evaluated and executed. This occurs specifically when there is no valid data-target attribute present, as a valid data-target would override the href and prevent XSS evaluation (HeroDevs). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L (NVD).

A successful exploitation of this vulnerability could enable attackers to execute arbitrary JavaScript within the victim's browser. This could potentially lead to various malicious activities including data theft, session hijacking, or other client-side attacks (HeroDevs).

Users of affected Bootstrap versions should either migrate to a newer version of Bootstrap or leverage a commercial support partner like HeroDevs for post-EOL security support. HeroDevs has released a patch in their Never-Ending Support (NES) version of Bootstrap 4 (bootstrap@4.6.2-bootstrap-4.6.4) that properly sanitizes href attributes to block potential XSS attacks (HeroDevs).