Unfortunately, we learned today that the LIST BLOCK in the Softr app uses a vulnerable version of the Boostrap.js library. As such, this allows attackers to potentially perform cross-site scripting (XSS) attacks, which could harm our users.
My questions to the Softr team are:
When can this specific vulnerability be fixed?
This vulnerability was known since 2024 July. How often does Softr perform regular vulnerability scans on the JavaScript libraries they use?
What is Softr’s policy on resolving these security issues in a timely manner?
The issue you shared is related to the usage of Bootstrap’s carousel component which we are not using… and in general we planning to get rid of that library usage altogether…
So as of now this should not have any impact in Softr apps.
A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.
Thanks for the update. Unfortunately, when a user performs a 3rd party vulnerability scan on a website that has the LIST BLOCK Softr app referenced as an iframe, this vulnerably is still shown to the user. (Even if the underlying library is not actually used by Softr.)
This creates a perception that Softr-powered websites are vulnerable.
We don’t want to get into the business of explaining all of these nuances to our users, every time they see this vulnerability.
So, can you provide an ETA on when the vulnerable library will be removed from the code (since it’s unneeded / not-essential)?