Lawlez (3)
Last Login: November 14, 2024
Lawlez's Latest (1) Contributions
Technical Analysis
Because this vulnerability only arises when the carousel is in use, and we can control the href attribute, the rating was given to be lower than usual.
example:
<div id="Carousel" class="carousel"></div> <a href="javascript:alert('xss')" data-slide="prev"> Previous Slide </a>
Bootstrap carousel component: https://getbootstrap.com/docs/4.6/components/carousel/
In the two scenarios where bootstrap was used by the target, there was either no carousel in use or, like most, a carousel with non-user controllable elements. Thus giving no way to exploit unless you are already an admin on the CMS.
While a successful exploitation of this vulnerability could lead to code execution and could even be used to capture higher privileged credentials, the real world exploitability of this vulnerability seems to be rather low.
So to summarize, to be able to actually exploit it we need:
- a website using an affected bootstrap version
- the website must implement the carousel component from bootstrap
- we must be able to control the href attribute given to the carousel
- no presence of a valid data-target attribute because it will override the href and the XSS would not be evaluated.
