bslib icon indicating copy to clipboard operation
bslib copied to clipboard
verified publisher icon rstudio

Bootstrap Cross-Site Scripting (XSS) vulnerability

Open RealKai42 opened this issue 1 year ago • 1 comments

Describe the problem

Link: https://github.com/advisories/GHSA-vc8w-jr9v-vj7f

  ┌──────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
  │         Library          │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                         │
  ├──────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
  │ bootstrap (package.json) │ CVE-2024-6531 │ MEDIUM   │ fixed  │ 4.6.0             │ 5.0.0         │ A vulnerability has been identified in Bootstrap that │
  │                          │               │          │        │                   │               │ exposes users to ......                               │
  │                          │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6531             │
  └──────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

This vulnerability is still present in the latest version of r-bslib, as it bundles Bootstrap version 4.6.0, which is affected by the issue.

Could bslib team help fix this vulnerabilities to protect the lib user?

Request for Assistance

Could the r-bslib team update Bootstrap to version 5.0.0 or higher to resolve this vulnerability and ensure the security of the library’s users?

RealKai42 avatar Jan 10 '25 02:01 RealKai42

bslib defaults to version 5.3.1 now. You have to specifically opt-in to 4.6.0 by doing bs_theme(version = 4)

cpsievert avatar Jan 21 '25 16:01 cpsievert