{"id":"CVE-2019-20921","details":"bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.","aliases":["GHSA-7c82-mp33-r854","GHSA-9r7h-6639-v5mw","SNYK-JS-BOOTSTRAPSELECT-570457"],"modified":"2026-05-18T17:38:15.762466Z","published":"2020-09-30T18:15:18.007Z","references":[{"type":"WEB","url":"https://issues.jtl-software.de/issues/SHOP-7964"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-9r7h-6639-v5mw"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457"},{"type":"ADVISORY","url":"https://www.npmjs.com/advisories/1522"},{"type":"FIX","url":"https://github.com/snapappointments/bootstrap-select/issues/2199"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/snapappointments/bootstrap-select","events":[{"introduced":"0"},{"fixed":"728c4c6e92124a9f00c7f4f3f99c39ab1375c054"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.13.6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:snapappointments:bootstrap-select:*:*:*:*:*:node.js:*:*"}}],"versions":["v1.13.5","v1.13.4","v1.13.3","v1.13.2","v1.13.1","v1.13.0","v1.13.0-beta","v1.13.0-alpha","v1.12.4","v1.12.3","v1.12.2","v1.12.1","v1.12.0","v1.11.2","v1.11.1","v1.11.0","v1.10.0","v1.9.4","v1.9.3","v1.9.2","1.9.1","1.9.0","v1.8.1","v1.8.0","v1.7.7","v1.7.5","v1.7.4","v1.7.3","v1.7.2","v1.7.1","v1.7.0","v1.7.0-rc6","v1.7.0-rc5","v1.7.0-rc4","v1.7.0-rc3","v1.7.0-rc2","v1.7.0-rc1","v1.6.5","v1.6.4","v1.6.3","v1.6.2","v1.6.1","v1.6.0","1.5.4","1.5.2","1.5.1","1.5.0","1.4.3","1.4.2","1.4.1","1.4.0","1.3.7","1.3.6","1.3.5","1.3.4","1.3.3","1.3.1","1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20921.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}