I inspected some of the python3-xstatic-bootstrap-scss package: ./python-xstatic-bootstrap- scss_3.3.7.1-5/xstatic/pkg/bootstrap_scss/data/js/bootstrap/tooltip.js
While the header sure looks related, I couldn't find *any* hints that the patch from https://github.com/twbs/bootstrap/pull/28236/commits/5efa9b531d25927b907e3fa24b818608bc38a2f0 is remotely related. If they are related, that file has changed pretty drastically in the meantime. Jeremy, can I ask, how confident you are that that package contains a version of the bootstrap tooltips that needs to be updated to address this flaw? (I only found one user of this package, python3-vitrage- dashboard -- with just one user, it might also justify a similar "is this even an issue?" sort of check.) Thanks ** Also affects: python-xstatic-bootstrap-scss (Ubuntu) Importance: Undecided Status: New ** Also affects: horizon (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
