Your hoops_web_viewer.js and hoops_web_viewer_monolithic.js source files describe using JSZIP v3.1.5, which is vulnerable to “Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.” per report in NVD - CVE-2021-23413. The fix is provided in JSZip v.3.7.0.
thanks for letting us know. I have passed this information on to the development team.
Hi Guido. Do we have an update from the development team about this vulnerability?
@guido - Any updates on this?
@ramony I’ve logged this issue in our support portal. Here is the ticket:
Medium security severity vulnerability in JSZip - CVE-2021-23413. We can continue the discussion there.