CVE-2024-6485

unknown

Published 2024-07-11 · Modified 2026-02-04

CVSS v3

—

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

CVSS v2

—

VIR risk

—

Description

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-6485

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`3.4.1+dfsg-3+deb12u1`
debian	bullseye	fixed	`3.4.1+dfsg-2+deb11u1`
debian	forky	fixed	`3.4.1+dfsg-4`
debian	sid	fixed	`3.4.1+dfsg-4`
debian	trixie	fixed	`3.4.1+dfsg-4`

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	bootstrap	`>=1.4.0,<=3.4.1`

References

Verify integrity in audit chain (admin only). AS-IS.