Medium security severity vulnerability in JSZip - CVE-2021-23413

ramony · August 12, 2022, 3:10pm

Your hoops_web_viewer.js and hoops_web_viewer_monolithic.js source files describe using JSZIP v3.1.5, which is vulnerable to “Crafting a new zip file with filenames set to Object prototype values (e.g proto, toString, etc) results in a returned object with a modified prototype instance.” per report in NVD - CVE-2021-23413. The fix is provided in JSZip v.3.7.0.

guido · August 12, 2022, 4:00pm

Hi,

thanks for letting us know. I have passed this information on to the development team.

Thanks,
Guido

ramony · August 18, 2022, 1:27pm

Hi Guido. Do we have an update from the development team about this vulnerability?

ramony · September 6, 2022, 1:15pm

@guido - Any updates on this?

Jonathan · September 7, 2022, 4:38pm

@ramony I’ve logged this issue in our support portal. Here is the ticket:
Medium security severity vulnerability in JSZip - CVE-2021-23413. We can continue the discussion there.

Topic		Replies	Views
jQuery-UI dependency vulnerabilities in hoops-web-viewer Feedback webviewer	1	871	May 17, 2022
The HOOPS Web Platform and Exploded Drawings Events	5	626	April 28, 2023
Prototype Aware Getters HOOPS Exchange exchange , knowledge-base	1	1014	February 23, 2022
Cannot load scs file in the web viewer Help webviewer	2	926	March 1, 2022
I’m seeing an error similar to this in one of the Communicator sever logs: <OPEN_MODEL_FAILED reason="BAD_STREAM_VERSION" expected="66" actual="59"> HOOPS Communicator	0	1355	July 3, 2019

Medium security severity vulnerability in JSZip - CVE-2021-23413

Related topics