CVE-2025-1647: 
ASP.NET Core vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in Bootstrap versions from 3.4.1 before 4.0.0. The vulnerability affects the Bootstrap 3 Popover component and Bootstrap 3 Tooltip component, which allows unsanitized HTML to be used (HeroDevs).

The vulnerability is classified as a DOM-based cross-site scripting (XSS) via DOM clobbering, which occurs when an attacker manipulates the Document Object Model (DOM) to overwrite or clobber an existing DOM object, leading to the execution of malicious scripts. The vulnerability exists in the sanitizeHtml function that can be forced to skip the sanitization if the createHTMLDocument method is clobbered. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (HeroDevs, NVD).

According to OWASP, Cross-Site Scripting attacks are a type of injection where malicious scripts are injected into trusted websites. An attacker can use XSS to send malicious scripts to unsuspecting users, potentially leading to unauthorized access to sensitive information or execution of malicious code in the user's browser (HeroDevs).

Since Bootstrap 3 is End-of-Life, it will not receive official updates to address this issue. Users are recommended to either migrate affected applications to a supported version of Bootstrap or leverage a commercial support partner for post-EOL security support (HeroDevs).