Medium security severity vulnerability in JSZip - CVE-2021-23413

ramony · August 12, 2022, 3:10pm

Your hoops_web_viewer.js and hoops_web_viewer_monolithic.js source files describe using JSZIP v3.1.5, which is vulnerable to “Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.” per report in NVD - CVE-2021-23413. The fix is provided in JSZip v.3.7.0.

guido · August 12, 2022, 4:00pm

Hi,

thanks for letting us know. I have passed this information on to the development team.

Thanks,
Guido

ramony · August 18, 2022, 1:27pm

Hi Guido. Do we have an update from the development team about this vulnerability?

ramony · September 6, 2022, 1:15pm

@guido - Any updates on this?

Jonathan · September 7, 2022, 4:38pm

@ramony I’ve logged this issue in our support portal. Here is the ticket:
Medium security severity vulnerability in JSZip - CVE-2021-23413. We can continue the discussion there.

Topic		Replies	Views
jQuery-UI dependency vulnerabilities in hoops-web-viewer Feedback webviewer	1	773	May 17, 2022
Cannot load scs file in the web viewer Help webviewer	2	823	March 1, 2022
I’m seeing an error similar to this in one of the Communicator sever logs: <OPEN_MODEL_FAILED reason="BAD_STREAM_VERSION" expected="66" actual="59"> HOOPS Communicator	0	1272	July 3, 2019
Can not load Web Viewer in my Next.js application HOOPS Communicator	10	45	April 16, 2024
Unhandled Promise rejection: Communicator is not defined HOOPS Communicator	10	1322	April 29, 2021

Medium security severity vulnerability in JSZip - CVE-2021-23413

Related Topics