Advisories for Npm/Bootstrap-Sass package

In Bootstrap, XSS is possible in the tooltip or popover data-template attribute.

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

In Bootstrap 2.x from 2.0.4, 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041. See https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/ for more info.

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041.