CVE-2018-14042 in Bootstrap
Summary
by MITRE
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/21/2026
The vulnerability identified as CVE-2018-14042 represents a cross-site scripting vulnerability within the Bootstrap JavaScript library that affects versions prior to 4.1.2. This flaw specifically resides in the tooltip component's data-container property implementation, where insufficient input validation and output sanitization allow malicious actors to inject arbitrary JavaScript code. The vulnerability stems from the library's failure to properly escape or validate user-provided content when processing the data-container attribute, creating a persistent security risk for web applications that rely on Bootstrap's tooltip functionality.
The technical exploitation of this vulnerability occurs when developers use the data-container property to specify where tooltips should be appended within the DOM structure. When malicious input is passed through this attribute, the Bootstrap library fails to sanitize the content before rendering it, allowing attackers to inject malicious scripts that execute in the context of the victim's browser. This creates a classic XSS attack vector where the malicious code can steal session cookies, redirect users to malicious sites, or perform other harmful actions. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a common weakness in web application security where input validation is insufficient.
The operational impact of CVE-2018-14042 extends beyond simple script injection as it can compromise entire user sessions and enable advanced persistent threats within web applications. When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of any user who interacts with a vulnerable tooltip component, potentially leading to account takeover, data exfiltration, or privilege escalation. The attack surface is particularly concerning given Bootstrap's widespread adoption across enterprise and government web applications, where a single vulnerable component can compromise multiple systems. Security frameworks like ATT&CK recognize this pattern as a common technique for initial access and lateral movement within compromised environments.
Mitigation strategies for this vulnerability primarily involve upgrading to Bootstrap version 4.1.2 or later, where the library properly sanitizes input for the data-container property. Organizations should also implement comprehensive input validation at the application level, particularly for any user-provided content that might be passed to Bootstrap components. Additional protective measures include implementing strict content security policies, using security headers to prevent script execution, and conducting regular security assessments of third-party libraries. The vulnerability demonstrates the critical importance of maintaining up-to-date dependencies and implementing defense-in-depth strategies to protect against known vulnerabilities in widely-used web frameworks.