Update Bootstrap

  • glampetsts

    (@glampetsts)


    1 week, 3 days ago

    During a security audit of our website, we identified that ElementsKit Lite bundles an internal copy of Bootstrap 4.0.0 inside widgets/init/assets/js/widget-scripts.js, labeled in the code as “Ekit Prefixed Bootstrap.”

    Bootstrap 4.0.0 is affected by several known XSS vulnerabilities (CVE-2018-14040, CVE-2018-14041, CVE-2018-14042, CVE-2019-8331), which were patched in Bootstrap 4.1.2 and later. We have confirmed this bundled copy is present in the latest release (v3.9.3) and has not been updated in any published version.

    We would like to request that the bundled Bootstrap dependency be updated to a patched version (4.6.x or 5.x) in a future release.

    Thank you.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Tusher Ikbal

    (@tusherikbal)

    1 week, 1 day ago

    Hi glampetsts

    Thank you for bringing this to our attention. We are already aware of this concern, and our development team is currently working on removing the Bootstrap dependency from ElementsKit Lite. We are moving toward implementing our own CSS framework, which will provide better security, stability, and overall performance.

    We appreciate your detailed report and your contribution to improving the plugin.

    Thank you for your understanding.

    Regards,
    Ikbal

    BackuPs

    (@neo2k23)

    5 days, 19 hours ago

    @glampetsts

    CVE-2018-14040 was patched in 3.4.0

    CVE-2018-14041 does not exist in bootstrap 3.3.7 or above

    CVE-2018-14042 was patched in 3.4.0 https://github.com/advisories/GHSA-7mvr-5x2g-wfc8

    CVE-2019-8331 was fixed in version 3.4.1

    Anyway @tusherikbal please update bootstrap to version 3.4.1 which is easy and fixes 3 vulnerabilities that exist in bootstrap 3.3.7. You can just update the bootstrap.js and bootstrap.css to version 3.4.1 without loosing functionality of your plugin. They are almost 100% the same except the fix for the 2 vulnerabilities

    v3.4.1

    • Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer

    v3.4.0



    https://www.herodevs.com/support/nes-bootstrap?utm_source=Bootstrap_site&utm_medium=Banner&utm_campaign=v3and4_eol

    BackuPs

    (@neo2k23)

    5 days, 18 hours ago

    @tusherikbal i can send you a modified bootstrap 3.4.1 version that fixes all security issues also the on the one that is not fixed in v 3.4.1 (cve-2025-2647). It is very easy to fix your selves and that closes all security issues with bootstrap below version 4

    https://www.herodevs.com/vulnerability-directory/cve-2025-1647?nes-for-bootstrap

    Tusher Ikbal

    (@tusherikbal)

    4 days, 22 hours ago

    Hi,

    Thank you for sharing this information and for your effort in helping us improve security. We truly appreciate your suggestion and the resources you provided regarding the Bootstrap vulnerabilities and fixes.

    Our development team is already reviewing and working on the related security improvements internally. Your feedback is valuable to us and will certainly help during the investigation and update process.

    Thank you again for your cooperation and support.

    Best regards,
    Ikbal

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.