jQuery-UI dependency vulnerabilities in hoops-web-viewer

I’ve downloaded the HOOPS Communicator 2022 SP1 package and noticed the hoops-web-viewer has a dependency on jQuery-UI 1.11.4. Is the viewer affected by these vulnerabilities?

CVE-2021-41182 MEDIUM (NVD) : jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altFiel…

CVE-2021-41183 MEDIUM (NVD) : jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Te…

CVE-2021-41184 MEDIUM (NVD) : jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of opt.

Hi,

thanks for pointing out those potential vulnerabilities. We are using jquery-ui in a very limited way (we are not using the date picker at all for example) and not in any server-side interactions so I think the potential risk is very theoretical.

In any case, this has been brought to the attention of product management and I expect us to upgrade the jQuery-ui version we are using in one of the upcoming releases.

Thanks,
Guido

2 Likes