Security readout for executives and security teams
Plain-English summary
This CVE affects older bootstrap-select versions that failed to escape option title values. If an application places attacker-controlled text into those values, JavaScript could run in a user’s browser. Business impact depends on where the library is embedded and whether untrusted data reaches select options.
Executive priority
Treat this as a targeted web-application hygiene issue. Prioritize internet-facing applications, admin panels, and customer portals using bootstrap-select, but do not escalate as actively exploited based on the provided evidence.
Technical view
bootstrap-select before 1.13.6 did not escape title values in OPTION elements, creating a client-side XSS condition. The source bundle states arbitrary JavaScript execution in the victim browser is possible. No CVSS vector, CWE, or confirmed active exploitation evidence is provided.
Likely exposure
Exposure is most likely in web applications bundling bootstrap-select before 1.13.6, especially forms or admin interfaces where option titles are generated from user-controlled or partner-controlled data.
Exploitation context
The bundle does not show CISA KEV listing or active exploitation. Exploitation would require a vulnerable page path and attacker influence over an OPTION title value seen by a victim.
Researcher notes
Key missing details are CVSS, CWE mapping, affected downstream products, and exploit-in-the-wild evidence. Validate actual reachability because the library version alone does not prove attacker-controlled data reaches OPTION title values.
Mitigation direction
- Upgrade bootstrap-select to version 1.13.6 or later.
- Review vendor advisories for any project-specific upgrade guidance.
- Ensure option title values are escaped before rendering.
- Avoid placing untrusted input into option metadata without sanitization.
Validation and detection
- Inventory frontend dependencies for bootstrap-select versions before 1.13.6.
- Check bundled static assets, not only package manifests.
- Review select option generation for user-controlled title values.
- Confirm remediated builds no longer include vulnerable bootstrap-select code.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2019-20921 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://www.npmjs.com/advisories/1522CVE reference
- https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457CVE reference
- https://github.com/advisories/GHSA-9r7h-6639-v5mwCVE reference
- https://github.com/snapappointments/bootstrap-select/issues/2199CVE reference
- https://issues.jtl-software.de/issues/SHOP-7964CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
