Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • May 18, 2023 at 6:09 pm #1407860
    testq1

    Enfold (5.6.2)

    Please update 3rd party component.

    jszip 3.6.0 Found in wp-content/themes/enfold/config-lottie-animations/assets/lottie-player/dotlottie-player.js?ver=5.6.2 _____Vulnerability info:
    High Santize filenames when files are loaded with loadAsync, to avoid “zip slip” attacks. 5 CVE-2022-48285 GHSA-36fh-84j7-cv5h 1
    Medium Prototype Pollution CVE-2021-23413 GHSA-jg8v-48h5-wgxg

    thank you!

    May 25, 2023 at 11:36 am #1408513
    Günter

    Hey testq1,

    Thank you for reporting this.

    I updated the component for next release.

    Best regards,
    Günter

    October 17, 2024 at 4:04 pm #1469318
    skopos-connect

    Hi,
    is it possible that this did not happen?
    It seems hat 3.6 is still in the code instead of 3.10 or am I wrong?
    Best, Tom

    October 17, 2024 at 7:24 pm #1469334
    Rikard

    Hi skopos-connect,

    Which version of the theme are you running?

    Best regards,
    Rikard

    October 21, 2024 at 8:28 am #1469535
    skopos-connect

    Hi Rikard,
    we are running Version 6.0.4 currently. It seems that there is 6.0.6 out now.
    As it is hard to find out, what version is used, we found these comments inside dotlottie-player.js
    /*!

    JSZip v3.6.0 – A JavaScript class for generating and reading zip files
    <http://stuartk.com/jszip&gt;

    (c) 2009-2016 Stuart Knightley <stuart [at] stuartk.com>
    Dual licenced under the MIT license or GPLv3. See https://raw.github.com/Stuk/jszip/master/LICENSE.markdown.

    JSZip uses the library pako released under the MIT license :
    https://github.com/nodeca/pako/blob/master/LICENSE
    */
    !function(e){t.exports=e()}((function(){return function t(e,r,i){function n(a,o){if(!r[a]){if(!e[a]){var h=”function”==typeof commonjsRequire&&commonjsRequire;if(!o&&h)return h(a,!0);if(s)return s(a,!0);var l=new Error(“Cannot find module ‘”+a+”‘”);throw l.code=”MODULE_NOT_FOUND”,l}var p=r[a]={exports:{}};e[a][0].call(p.exports,(function(t){var r=e[a][1][t];return n(r||t)}),p,p.exports,t,e,r,i)}return r[a].exports}for(var s=”function”==typeof commonjsRequire&&commonjsRequire,a=0;a<i.length;a++)n(i[a]);return n}({1:[function(t,e,r){(function(i){
    /*!

    JSZip v3.5.0 – A JavaScript class for generating and reading zip files
    <http://stuartk.com/jszip&gt;

    (c) 2009-2016 Stuart Knightley <stuart [at] stuartk.com>
    Dual licenced under the MIT license or GPLv3. See https://raw.github.com/Stuk/jszip/master/LICENSE.markdown.

    JSZip uses the library pako released under the MIT license :
    https://github.com/nodeca/pako/blob/master/LICENSE
    */

    Best Regards
    Tom

    October 22, 2024 at 11:51 am #1469608
    Günter

    Hi,

    We tried, but could not update the js file to a later version – it had seemed to be buggy and using the methods to control the animation like play, pause, .. did not work as it should. So we left it unchanged.

    Checking the player today (https://developers.lottiefiles.com/) the implementation has completly changed.

    We will add it to our dev repo to consider updateing the element – but we have no ETA for it yet.

    Best regards,
    Günter

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.