-
Posts
-
Enfold (5.6.2)
Please update 3rd party component.
jszip 3.6.0 Found in wp-content/themes/enfold/config-lottie-animations/assets/lottie-player/dotlottie-player.js?ver=5.6.2 _____Vulnerability info:
High Santize filenames when files are loaded with loadAsync, to avoid “zip slip” attacks. 5 CVE-2022-48285 GHSA-36fh-84j7-cv5h 1
Medium Prototype Pollution CVE-2021-23413 GHSA-jg8v-48h5-wgxgthank you!
Hey testq1,
Thank you for reporting this.
I updated the component for next release.
Best regards,
GünterHi,
is it possible that this did not happen?
It seems hat 3.6 is still in the code instead of 3.10 or am I wrong?
Best, TomHi Rikard,
we are running Version 6.0.4 currently. It seems that there is 6.0.6 out now.
As it is hard to find out, what version is used, we found these comments inside dotlottie-player.js
/*!JSZip v3.6.0 – A JavaScript class for generating and reading zip files
<http://stuartk.com/jszip>(c) 2009-2016 Stuart Knightley <stuart [at] stuartk.com>
Dual licenced under the MIT license or GPLv3. See https://raw.github.com/Stuk/jszip/master/LICENSE.markdown.JSZip uses the library pako released under the MIT license :
https://github.com/nodeca/pako/blob/master/LICENSE
*/
!function(e){t.exports=e()}((function(){return function t(e,r,i){function n(a,o){if(!r[a]){if(!e[a]){var h=”function”==typeof commonjsRequire&&commonjsRequire;if(!o&&h)return h(a,!0);if(s)return s(a,!0);var l=new Error(“Cannot find module ‘”+a+”‘”);throw l.code=”MODULE_NOT_FOUND”,l}var p=r[a]={exports:{}};e[a][0].call(p.exports,(function(t){var r=e[a][1][t];return n(r||t)}),p,p.exports,t,e,r,i)}return r[a].exports}for(var s=”function”==typeof commonjsRequire&&commonjsRequire,a=0;a<i.length;a++)n(i[a]);return n}({1:[function(t,e,r){(function(i){
/*!JSZip v3.5.0 – A JavaScript class for generating and reading zip files
<http://stuartk.com/jszip>(c) 2009-2016 Stuart Knightley <stuart [at] stuartk.com>
Dual licenced under the MIT license or GPLv3. See https://raw.github.com/Stuk/jszip/master/LICENSE.markdown.JSZip uses the library pako released under the MIT license :
https://github.com/nodeca/pako/blob/master/LICENSE
*/Best Regards
TomHi,
We tried, but could not update the js file to a later version – it had seemed to be buggy and using the methods to control the animation like play, pause, .. did not work as it should. So we left it unchanged.
Checking the player today (https://developers.lottiefiles.com/) the implementation has completly changed.
We will add it to our dev repo to consider updateing the element – but we have no ETA for it yet.
Best regards,
GünterHi Günter,
Thanks for coming back on this.
It’s good to put this on the dev map, but as this is a Vulnerability CVE we wonder if this feature should not be removed from code by now and added again when it is resolved? Leaving this open door for DOS seems not to be a good idea IMHO.
Best Regards, TomHey Tom,
As Günter mentioned, we’ll consider updating this element.
Uploading Lottie files is only allowed for logged-in users in the backend and it’s not possible to do this on the frontend. Also, this file is not loaded if you are not using the Lottie Animation element or did not select the “Always load all elements” option in the Enfold theme options > Performance > Disable Template Builder Elements ( https://imgur.com/a/3YV9PM5 ).
You can also delete the enfold/config-templatebuilder/avia-shortcodes/lottie_animation folder.
I hope this helps.
Best regards,
Yigit
- You must be logged in to reply to this topic.