I too am entirely out of my comfort zone with Javascript, so my level of certainty is low, based solely on the text of CVE-2019-8331 which says (all?) Bootstrap versions prior to 3.4.1 are affected. I also did not check the rdepends for python3-xstatic-bootstrap-scss in Ubuntu and perhaps incorrectly assumed it might be used by more packages or by unpackaged software on people's systems.
I'll continue trying to get one of the Horizon developers to provide input on this report... I am but a humble vulnerability coordinator in this particular case, far from being a subject matter expert on the software. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940450 Title: XSS The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1940450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
