XSS in bootstrap data-target attribute

A flaw was found in Bootstrap. Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute.

Summary

A vulnerability in Bootstrap could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.

The vulnerability exists in the data-target attribute of the affected software and is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a targeted user to follow a malicious link. A successful exploit could allow the attacker to conduct an XSS attack, which could be used to access sensitive information on the targeted system

step to reproduce
1)
<script src=”https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>

<script src=”https://url/js/bootstrap.min.js"></script>

<button data-toggle=”collapse” data-target=”<img src=x onerror=alert(11111)>”>Test</button>

2)save this in html format
3) press button test and see xss works

There is a security vulnerability regarding Bootstrap 3.3.7. It says that “Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute
The so called ‘vulnerability’ only occurs if the data-target value relies on data injected by something external (directly or indirectly) AND is shown on a page where other users than the attacker are affected.

Impact

Impact
The vulnerability might be affecting a feature of the library that the website is not using. If the vulnerable feature is not used, this alert can be considered false positive.
The library name and its version are identify based on a Retire.js signature. If the library identification is not correct, the prior vulnerability does not apply