[GHSA-gv5r-9gxr-v74w] Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data#7039
Conversation
github-actions
bot
changed the base branch from
main
to
abrom/advisory-improvement-7039
|
Hi! We can support listing both 0.9.15 and 2.0.0 as patched versions for this advisory. Alternatively, we can list 2.0.0 as the patched version and add a note clarifying that while |
|
thanks for the review @helixplant Yes, understood. To be clear, the file in question was removed in 0.9.15 and all versions since (including 1.1.2 etc). I'm not sure it's really my call in terms of what is considered "vulnerable" here, except to say that 2.0.0 definitely doesn't have the file in question anymore. I'd suggest the current PR as it stands (marking 2.0.0 as resolving the issue) is likely the best course of action as it at least allows for a migration path, albeit the draw back being that it comes along with a major dependency change in the underlying Bootstrap framework. Thanks! |
2 participants
Updates
Comments
The
post.phpfile in question was removed davidstutz/bootstrap-multiselect@4f17795 as included in the 2.0.0 release davidstutz/bootstrap-multiselect@v1.1.2...v2.0.0Although I think it's important to note that the file was removed from the 0.9.15 release (removed after the 0.9.13-1 release) albeit still present in the source repo. See:
https://www.npmjs.com/package/bootstrap-multiselect/v/0.9.15?activeTab=code
vs
https://www.npmjs.com/package/bootstrap-multiselect/v/0.9.13-1?activeTab=code
Thus pre 2.0.0 would require someone to have sourced the code (not package) from git directly AND have decided, against reason, to use what would be seen as a test fragment.
So in reality this advisory probably should be limited to <= 0.9.13-1 with 0.9.15 being the patched version. Happy to update if that is the consensus.