-
AuthorPosts
-
May 18, 2023 at 6:09 pm #1407860
Enfold (5.6.2)
Please update 3rd party component.
jszip 3.6.0 Found in wp-content/themes/enfold/config-lottie-animations/assets/lottie-player/dotlottie-player.js?ver=5.6.2 _____Vulnerability info:
High Santize filenames when files are loaded with loadAsync, to avoid “zip slip” attacks. 5 CVE-2022-48285 GHSA-36fh-84j7-cv5h 1
Medium Prototype Pollution CVE-2021-23413 GHSA-jg8v-48h5-wgxgthank you!
May 25, 2023 at 11:36 am #1408513Hey testq1,
Thank you for reporting this.
I updated the component for next release.
Best regards,
GünterOctober 17, 2024 at 4:04 pm #1469318Hi,
is it possible that this did not happen?
It seems hat 3.6 is still in the code instead of 3.10 or am I wrong?
Best, TomOctober 17, 2024 at 7:24 pm #1469334October 21, 2024 at 8:28 am #1469535Hi Rikard,
we are running Version 6.0.4 currently. It seems that there is 6.0.6 out now.
As it is hard to find out, what version is used, we found these comments inside dotlottie-player.js
/*!JSZip v3.6.0 – A JavaScript class for generating and reading zip files
<http://stuartk.com/jszip>(c) 2009-2016 Stuart Knightley <stuart [at] stuartk.com>
Dual licenced under the MIT license or GPLv3. See https://raw.github.com/Stuk/jszip/master/LICENSE.markdown.JSZip uses the library pako released under the MIT license :
https://github.com/nodeca/pako/blob/master/LICENSE
*/
!function(e){t.exports=e()}((function(){return function t(e,r,i){function n(a,o){if(!r[a]){if(!e[a]){var h=”function”==typeof commonjsRequire&&commonjsRequire;if(!o&&h)return h(a,!0);if(s)return s(a,!0);var l=new Error(“Cannot find module ‘”+a+”‘”);throw l.code=”MODULE_NOT_FOUND”,l}var p=r[a]={exports:{}};e[a][0].call(p.exports,(function(t){var r=e[a][1][t];return n(r||t)}),p,p.exports,t,e,r,i)}return r[a].exports}for(var s=”function”==typeof commonjsRequire&&commonjsRequire,a=0;a<i.length;a++)n(i[a]);return n}({1:[function(t,e,r){(function(i){
/*!JSZip v3.5.0 – A JavaScript class for generating and reading zip files
<http://stuartk.com/jszip>(c) 2009-2016 Stuart Knightley <stuart [at] stuartk.com>
Dual licenced under the MIT license or GPLv3. See https://raw.github.com/Stuk/jszip/master/LICENSE.markdown.JSZip uses the library pako released under the MIT license :
https://github.com/nodeca/pako/blob/master/LICENSE
*/Best Regards
TomOctober 22, 2024 at 11:51 am #1469608Hi,
We tried, but could not update the js file to a later version – it had seemed to be buggy and using the methods to control the animation like play, pause, .. did not work as it should. So we left it unchanged.
Checking the player today (https://developers.lottiefiles.com/) the implementation has completly changed.
We will add it to our dev repo to consider updateing the element – but we have no ETA for it yet.
Best regards,
Günter -
AuthorPosts
- You must be logged in to reply to this topic.