accelerator-sample-apps-js's People
Contributors
Stargazers
Watchers
Forkers
vanipm maikthomas adrice727 ray9836 sriramsrangan shawndube amfazlani hcoplestone andytorrestb skharbanda ahmadabdul3 santiwar74 jayvilla skyooadmin lucaspedroza1 jagdeep-sing nixondc93 kabhatta markchipman juiceathon bigmaacs gilk-repo gavinthomas1192 asjadsaboor-10p adityaparmar03 developercons nareshvarmaku jstntrn jeffswartz dubchoi vigilantee harrymckinney v-kpheng nschefer johnnyb00y dubeyrakeshkr master96 i2g-lweiss tlw914 livingtrades83 jsueper sdrief karstengraurasmussen santoshrout seancahalan gsinghab2 habibadeku kronosoft igoog faizranas jason-liu22 krishnatech kamaleldinmostafa achrams tuananhcwrs joseph-p-j amin15 srinivaskolla devashleyd bindugeo eddogan psychout98 nivyasree santoroa richard-dance kittphi behei-vonage benjpujol shampak dorier-group hunminka pantanuj cloneforyou shafiquemalik edijs-elijs-skroders xotetsuo dwiyudirayia smashcut zheeno shivansh193 conshusaccelerator-sample-apps-js's Issues
express-4.18.1.tgz: 1 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - express-4.18.1.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.1.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/express/package.json
Vulnerabilities
| CVE | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (express version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-29041 |  Medium |
6.1 | Not Defined | 0.0% | express-4.18.1.tgz | Direct | 4.19.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-29041
Vulnerable Library - express-4.18.1.tgz
Fast, unopinionated, minimalist web framework
Library home page: https://registry.npmjs.org/express/-/express-4.18.1.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/express/package.json
Dependency Hierarchy:
- ❌ express-4.18.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is res.location() but this is also called from within res.redirect(). The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.
Publish Date: 2024-03-25
URL: CVE-2024-29041
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-rv95-896h-c2vc
Release Date: 2024-03-25
Fix Resolution: 4.19.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Npm run build error
Hi, why I am getting this error?
Safari 15.1 Page crash and restart after call publisher.publishVideo()
browser: safari 15.1
opentok version: 2.21.2
Running this sample apps:
https://github.com/opentok/opentok-node/tree/main/sample/HelloWorld
https://github.com/opentok/accelerator-sample-apps-js/tree/main/sdk-wrapper-react-sample
Page crached after trying disable video (piblisher.publishVideo(false))
Some gifs:
https://gyazo.com/b90408442308365e91fd2937d1512a22
https://gyazo.com/3fed4901fd0a861fda25a91003b46029
opentok-screen-sharing-1.0.35.tgz: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - opentok-screen-sharing-1.0.35.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/replace/node_modules/minimatch/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (opentok-screen-sharing version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2022-3517 |  High |
7.5 | Not Defined | 0.2% | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/replace/node_modules/minimatch/package.json
Dependency Hierarchy:
- opentok-screen-sharing-1.0.35.tgz (Root Library)
- replace-1.2.1.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- replace-1.2.1.tgz
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
OT is not defined (core.js - line 76)
General information
- Library version(s): "opentok-accelerator-core": ">=2.0.0",
- iOS/Android/Browser version(s): All Browsers
- Devices/Simulators/Machine affected: All Browsers
- Reproducible in the demo project? (Yes/No): YES
Bug report
when running the React Accellerator app, an error of OT is not defined (core.js - line 76) happens. after digging through core.js -- OT is not defined anywhere.
moment-2.17.1.min.js: 3 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - moment-2.17.1.min.js
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (moment version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-31129 |  High |
7.5 | moment-2.17.1.min.js | Direct | moment - 2.29.4 | ❌ |
| CVE-2017-18214 | High |
7.5 | moment-2.17.1.min.js | Direct | moment - 2.19.3 | ❌ |
| CVE-2022-24785 | High |
7.5 | moment-2.17.1.min.js | Direct | moment - 2.29.2 | ❌ |
Details
CVE-2022-31129
Vulnerable Library - moment-2.17.1.min.js
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ moment-2.17.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: 2022-07-06
URL: CVE-2022-31129
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: 2022-07-06
Fix Resolution: moment - 2.29.4
CVE-2017-18214
Vulnerable Library - moment-2.17.1.min.js
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ moment-2.17.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-446m-mv8f-q348
Release Date: 2018-03-04
Fix Resolution: moment - 2.19.3
CVE-2022-24785
Vulnerable Library - moment-2.17.1.min.js
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ moment-2.17.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Publish Date: 2022-04-04
URL: CVE-2022-24785
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-8hfj-j24r-96c4
Release Date: 2022-04-04
Fix Resolution: moment - 2.29.2
Screen sharing and Recording is not working
Hi, I'm testing it on Firefox, video audio is connecting but screen sharing and recording not working. when click on screen sharing it asks for Extension but didn't install that when click on install extension button and when click on recording button and again click for save recording it shows dialogue box that you will get notification when its ready but i never receive a notification, can you please help me?
jquery-3.1.1.min.js: 3 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (jquery version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2020-11023 |  Medium |
6.1 | jquery-3.1.1.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ |
| CVE-2020-11022 | Medium |
6.1 | jquery-3.1.1.min.js | Direct | jQuery - 3.5.0 | ❌ |
| CVE-2019-11358 | Medium |
6.1 | jquery-3.1.1.min.js | Direct | jquery - 3.4.0 | ❌ |
Details
CVE-2020-11023
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2019-11358
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Unhandled Rejection (OT_AUTHENTICATION_ERROR): Invalid token format (1004)
I am trying npm run start command, but I am encountering " Unhandled Rejection (OT_AUTHENTICATION_ERROR): Invalid token format (1004) " error. I checked apikey, sessionId and token multiple times, but alwasy same error goes on.
Note: I am trying on React js
ERROR: opentok_accelerator_core__WEBPACK_IMPORTED_MODULE_3__.AccCore is not a constructor
underscore-min-1.8.3.js: 1 vulnerabilities (highest severity is: 7.2)
Vulnerable Library - underscore-min-1.8.3.js
JavaScript's functional programming helper library.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore-min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (underscore-min version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2021-23358 | High |
7.2 | underscore-min-1.8.3.js | Direct | underscore - 1.12.1,1.13.0-2 | ❌ |
Details
CVE-2021-23358
Vulnerable Library - underscore-min-1.8.3.js
JavaScript's functional programming helper library.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore-min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ underscore-min-1.8.3.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
`sdk-wrapper-react-sample` doesn't compile
New issue checklist
- I have read all of the
README - I have searched existing issues and this is not a duplicate.
General information
- Library version(s):
2.0.15 - iOS/Android/Browser version(s):
Chrome 81.0.4044.92 - Devices/Simulators/Machine affected:
macOS Catalina 10.15.3 - Reproducible in the demo project? (Yes/No):
YES - Related issues:
....?
Bug report
I'm guessing this won't be looked at since none of the other open issues have responses and some of those are two years old, but I'll catalog it anyway.
Expected behavior
The sample app doesn't compile. I would expect it to at least run. I get that it hasn't been updated in 2 years, but it should at least compile and run without having to do anything.
Actual behavior
After running the following commands (as indicated in the README), I get the errors below:
git clone https://github.com/opentok/accelerator-sample-apps-js.git
cd accelerator-sample-apps-js
npm install
npm start
Steps to reproduce
git clone https://github.com/opentok/accelerator-sample-apps-js.git
cd accelerator-sample-apps-js
npm install
And see errors...
Crash log? Screenshots? Videos? Sample project?
See above
Question or Feature Request
Please update these sample applications so we can actually use them to help us understand the API
Using Publisher getImgData
Question or Feature Request
I was experimenting with the vanilla js example, can you help me find the easiest way to get the publisher session and use the documented getImgData() https://tokbox.com/developer/sdks/js/reference/Publisher.html#getImgData ?
Or I need to follow the js sdk way?
Thankyou!
opentok-screen-sharing-1.0.35.tgz: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - opentok-screen-sharing-1.0.35.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/replace/node_modules/minimatch/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (opentok-screen-sharing version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-3517 | High |
7.5 | minimatch-3.0.4.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/replace/node_modules/minimatch/package.json
Dependency Hierarchy:
- opentok-screen-sharing-1.0.35.tgz (Root Library)
- replace-1.2.1.tgz
- ❌ minimatch-3.0.4.tgz (Vulnerable Library)
- replace-1.2.1.tgz
Found in base branch: main
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
React sample app eslint conflict
Hi there,
I'm trying to run the React sample app locally but getting the following error in the terminal:
'There might be a problem with the project dependency tree.
It is likely not a bug in Create React App, but something you need to fix locally.
The react-scripts package provided by Create React App requires a dependency:
"eslint": "^7.11.0"
Don't try to install it manually: your package manager does it automatically.
However, a different version of eslint was detected higher up in the tree:
......\vonage-react-sample-app\node_modules\eslint (version: 3.19.0)'
I've tried all the suggested steps to fix the dependency tree but nothing seems to work.
Please can you advise?
Virtual Background Support
Hello,
I want to implement a virtual background filter on video visit, Like what google meet, zoom app does.
Found the few examples with pure Vonage JS code but not able to merge that code using our AccCore method.
So is there any way to do that with your Acccore plugin method?
Reference link of virtual background: https://github.com/nexmo-se/opentok-filters-bodypix
Just let me know is there any method or reference code that i can implement this feature using accelerator-core-js plugin.
Thanks,
Can i edit video container div?
Hii, can I edit the default behaviour of subscriber and publisher display? means the person who opens the room should always full screen(to everyone) and others who joining are in small divs.
We are not able add subscriber to same sessionid
if( role=='organiser'){
// publisher sample api details
apiCredentials={
apiKey: '#####',
sessionId: '#####',
token: '######################
};
}else{
// susbcriber sample api details
apiCredentials={
apiKey: '#############',
sessionId: '#######################',
token: '##########################'
};
}
const otCoreOptions = {
credentials: apiCredentials,
// A container can either be a query selector or an HTML Element
streamContainers(pubSub, type, data, stream) {
return {
publisher: {
camera: '#cameraPublisherContainer',
screen: '#screenPublisherContainer',
},
subscriber: {
camera: '#cameraSubscriberContainer',
screen: '#screenSubscriberContainer',
},
}[pubSub][type];
},
controlsContainer: '#controls',
packages: ['textChat', 'screenSharing', 'annotation'],
communication: {
callProperties: null, // Using default
},
textChat: {
name: ['David', 'Paul', 'Emma', 'George', 'Amanda'][Math.random() * 5 | 0], // eslint-disable-line no-bitwise
waitingMessage: 'Messages will be delivered when other users arrive',
container: '#chat',
},
screenSharing: {
extensionID: 'plocfffmbcclpdifaikiikgplfnepkpo',
annotation: true,
externalWindow: false,
dev: true,
screenProperties: {
insertMode: 'append',
width: '100%',
height: '100%',
showControls: false,
style: {
buttonDisplayMode: 'off',
},
videoSource: 'window',
fitMode: 'contain' // Using default
},
},
annotation: {
absoluteParent: {
publisher: '.App-video-container',
subscriber: '.App-video-container'
}
},
};
Screen Sharing Issue
When we click on screen sharing icon, screen keep on mirroring itself.
Can some one help me on this.
Screen sharing not starting directly in latest Firefox.(older versions needs extension, i know)
Hi,
I'm using FF 57.0 for ubuntu, As written HERE, Latest firefox don't need extension or whitelist.it started screen sharing directly. then why in my firefox it is not starting directly
(shows prompt to install extension)
or i need to edit code to disable this prompt
so that screen sharing work directly
waiting for reply..
Thanks!!
OT.$.browser is not a function
Previously the app was working fine but from today morning, it always show this error message in browser.i also try to build new app by downloading from here but it also show same error.
can anyone please help?
the error is coming from opentok-screensharing.js file
I'm using: vanilla-js-sample-app
I also try to download opentok.min.js file and include it from local but same error
@maikthomas or any other dev reading this please help
Error is :
Uncaught TypeError: OT.$.browser is not a function opentok-screen-sharing.js:395
at _validateExtension (opentok-screen-sharing.js:395)
at _validateOptions (opentok-screen-sharing.js:422)
at new ScreenSharingAccPack (opentok-screen-sharing.js:442)
at initPackages (opentok-acc-core.js:8986)
at opentok-acc-core.js:9018
at i (eventing.js:258)
at innerEventingMixin.js:59
and the line from where error is coming, is :
if (OT.$.browser() === 'Chrome') {some code here}
Use of Arrow Functions prevents use with IE 11
New issue checklist
- I have read all of the
README - I have searched existing issues and this is not a duplicate.
General information
- Library version(s):
- iOS/Android/Browser version(s):
- Devices/Simulators/Machine affected:
- Reproducible in the demo project? (Yes/No):
- Related issues:
Bug report
Expected behavior
render in IE
Actual behavior
Syntax error leading to the use of Arrow Functions.
Steps to reproduce
Git pull, compile and run, test with IE.
Crash log? Screenshots? Videos? Sample project?
https://caniuse.com/#feat=arrow-functions
Question or Feature Request
Can you refactor to use traditional functions in place of Arrow Functions to save others having to do it? thanks!
sample for using Vue.js
Could you please make some sample for the users who use Vue.js?
react-15.7.0.tgz: 3 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - react-15.7.0.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/ua-parser-js/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (react version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-25927 | High |
7.5 | ua-parser-js-0.7.31.tgz | Transitive | 16.0.0 | ✅ |
| CVE-2022-0235 | Medium |
6.1 | node-fetch-1.7.3.tgz | Transitive | 16.5.0 | ✅ |
| CVE-2020-15168 | Medium |
5.3 | node-fetch-1.7.3.tgz | Transitive | 16.5.0 | ✅ |
Details
CVE-2022-25927
Vulnerable Library - ua-parser-js-0.7.31.tgz
Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.31.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
- react-15.7.0.tgz (Root Library)
- fbjs-0.8.18.tgz
- ❌ ua-parser-js-0.7.31.tgz (Vulnerable Library)
- fbjs-0.8.18.tgz
Found in base branch: main
Vulnerability Details
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
Publish Date: 2022-02-24
URL: CVE-2022-25927
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-02-24
Fix Resolution (ua-parser-js): 1.0.33
Direct dependency fix Resolution (react): 16.0.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-0235
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-15.7.0.tgz (Root Library)
- fbjs-0.8.18.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- isomorphic-fetch-2.2.1.tgz
- fbjs-0.8.18.tgz
Found in base branch: main
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (react): 16.5.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-15168
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-15.7.0.tgz (Root Library)
- fbjs-0.8.18.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- isomorphic-fetch-2.2.1.tgz
- fbjs-0.8.18.tgz
Found in base branch: main
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution (node-fetch): 2.6.1
Direct dependency fix Resolution (react): 16.5.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Getting ScreenShot of Subscriber video
jquery-3.1.1.min.js: 3 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Vulnerabilities
| CVE | Severity | CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (jquery version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2020-11023 | Medium |
6.1 | Proof of concept | 2.3% | jquery-3.1.1.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ | |
| CVE-2020-11022 | Medium |
6.1 | Proof of concept | 6.3% | jquery-3.1.1.min.js | Direct | jQuery - 3.5.0 | ❌ | |
| CVE-2019-11358 | Medium |
6.1 | Proof of concept | 3.5% | jquery-3.1.1.min.js | Direct | jquery - 3.4.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-11023
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 2.3%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 6.3%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2019-11358
Vulnerable Library - jquery-3.1.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ jquery-3.1.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 3.5%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
opentok-accelerator-core-2.0.20.tgz: 3 vulnerabilities (highest severity is: 6.5)
Vulnerable Library - opentok-accelerator-core-2.0.20.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/follow-redirects/package.json,/sdk-wrapper-react-sample/node_modules/follow-redirects/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (opentok-accelerator-core version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-28849 | Medium |
6.5 | Not Defined | 0.0% | follow-redirects-1.15.1.tgz | Transitive | N/A* | ❌ | |
| CVE-2023-45857 | Medium |
6.5 | Not Defined | 0.1% | axios-0.21.4.tgz | Transitive | N/A* | ❌ | |
| CVE-2023-26159 | Medium |
6.1 | Not Defined | 0.1% | follow-redirects-1.15.1.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-28849
Vulnerable Library - follow-redirects-1.15.1.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.1.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/follow-redirects/package.json,/sdk-wrapper-react-sample/node_modules/follow-redirects/package.json
Dependency Hierarchy:
- opentok-accelerator-core-2.0.20.tgz (Root Library)
- opentok-solutions-logging-1.1.4.tgz
- axios-0.21.4.tgz
- ❌ follow-redirects-1.15.1.tgz (Vulnerable Library)
- axios-0.21.4.tgz
- opentok-solutions-logging-1.1.4.tgz
Found in base branch: main
Vulnerability Details
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials too. This vulnerability may lead to credentials leak, but has been addressed in version 1.15.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-03-14
URL: CVE-2024-28849
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-cxjh-pqwp-8mfp
Release Date: 2024-03-14
Fix Resolution: follow-redirects - 1.15.6
CVE-2023-45857
Vulnerable Library - axios-0.21.4.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.4.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/axios/package.json,/vanilla-js-sample-app/node_modules/axios/package.json
Dependency Hierarchy:
- opentok-accelerator-core-2.0.20.tgz (Root Library)
- opentok-solutions-logging-1.1.4.tgz
- ❌ axios-0.21.4.tgz (Vulnerable Library)
- opentok-solutions-logging-1.1.4.tgz
Found in base branch: main
Vulnerability Details
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution: axios - 1.6.0
CVE-2023-26159
Vulnerable Library - follow-redirects-1.15.1.tgz
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.1.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/follow-redirects/package.json,/sdk-wrapper-react-sample/node_modules/follow-redirects/package.json
Dependency Hierarchy:
- opentok-accelerator-core-2.0.20.tgz (Root Library)
- opentok-solutions-logging-1.1.4.tgz
- axios-0.21.4.tgz
- ❌ follow-redirects-1.15.1.tgz (Vulnerable Library)
- axios-0.21.4.tgz
- opentok-solutions-logging-1.1.4.tgz
Found in base branch: main
Vulnerability Details
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.
Publish Date: 2024-01-02
URL: CVE-2023-26159
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26159
Release Date: 2024-01-02
Fix Resolution: follow-redirects - 1.15.4
Screen sharing of entire screen black (TokBox_React example)
New issue checklist
- I have read all of the
README - I have searched existing issues and this is not a duplicate.
General information
- Library version(s): Latest
- iOS/Android/Browser version(s): Chrome(68.0.3440.106 (Official Build) (64-bit))/Firefox(61.0.2 (64-Bit))
- Devices/Simulators/Machine affected: Windows
- Reproducible in the demo project?: Yes
Bug report
Expected behavior
Should be able to share entire screen, not just specific window or browser tab
Actual behavior
Only sharing of specific window screens and browser tabs (some of them are just black)
Steps to reproduce
set config, in react version, build react app (deploy over HTTPS to allow screen sharing)
Repo
https://github.com/Sara64/iadl
In App.js in otCoreOptions.screenSharing are options which I think should work for sharing entire screen, but it doesn't.
Thank you :)
react-15.7.0.tgz: 3 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - react-15.7.0.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/node-fetch/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (react version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2022-25927 | High |
7.5 | Not Defined | 0.1% | ua-parser-js-0.7.31.tgz | Transitive | 16.0.0 | ✅ | |
| CVE-2022-0235 | Medium |
6.1 | Not Defined | 0.4% | node-fetch-1.7.3.tgz | Transitive | 16.5.0 | ✅ | |
| CVE-2020-15168 | Medium |
5.3 | Not Defined | 0.1% | node-fetch-1.7.3.tgz | Transitive | 16.5.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-25927
Vulnerable Library - ua-parser-js-0.7.31.tgz
Detect Browser, Engine, OS, CPU, and Device type/model from User-Agent data. Supports browser & node.js environment
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.31.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/ua-parser-js/package.json
Dependency Hierarchy:
- react-15.7.0.tgz (Root Library)
- fbjs-0.8.18.tgz
- ❌ ua-parser-js-0.7.31.tgz (Vulnerable Library)
- fbjs-0.8.18.tgz
Found in base branch: main
Vulnerability Details
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
Publish Date: 2023-01-26
URL: CVE-2022-25927
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-26
Fix Resolution (ua-parser-js): 0.7.33
Direct dependency fix Resolution (react): 16.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-0235
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-15.7.0.tgz (Root Library)
- fbjs-0.8.18.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- isomorphic-fetch-2.2.1.tgz
- fbjs-0.8.18.tgz
Found in base branch: main
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (react): 16.5.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-15168
Vulnerable Library - node-fetch-1.7.3.tgz
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Path to dependency file: /sdk-wrapper-react-sample/package.json
Path to vulnerable library: /sdk-wrapper-react-sample/node_modules/node-fetch/package.json
Dependency Hierarchy:
- react-15.7.0.tgz (Root Library)
- fbjs-0.8.18.tgz
- isomorphic-fetch-2.2.1.tgz
- ❌ node-fetch-1.7.3.tgz (Vulnerable Library)
- isomorphic-fetch-2.2.1.tgz
- fbjs-0.8.18.tgz
Found in base branch: main
Vulnerability Details
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution (node-fetch): 2.6.1
Direct dependency fix Resolution (react): 16.5.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
underscore-min-1.8.3.js: 1 vulnerabilities (highest severity is: 7.2)
Vulnerable Library - underscore-min-1.8.3.js
JavaScript's functional programming helper library.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore-min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Vulnerabilities
| CVE | Severity | CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (underscore-min version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-23358 | High |
7.2 | Not Defined | 1.1% | underscore-min-1.8.3.js | Direct | underscore - 1.12.1,1.13.0-2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-23358
Vulnerable Library - underscore-min-1.8.3.js
JavaScript's functional programming helper library.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.8.3/underscore-min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ underscore-min-1.8.3.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.1%
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
opentok-text-chat-1.0.36.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - opentok-text-chat-1.0.36.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/moment/package.json
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-31129 | High |
7.5 | moment-2.29.3.tgz | Transitive | N/A | ❌ |
Details
CVE-2022-31129
Vulnerable Library - moment-2.29.3.tgz
Parse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.29.3.tgz
Path to dependency file: /vanilla-js-sample-app/package.json
Path to vulnerable library: /vanilla-js-sample-app/node_modules/moment/package.json
Dependency Hierarchy:
- opentok-text-chat-1.0.36.tgz (Root Library)
- ❌ moment-2.29.3.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
Publish Date: 2022-07-06
URL: CVE-2022-31129
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wc69-rhjr-hc9g
Release Date: 2022-07-06
Fix Resolution: moment - 2.29.4
react accelerator-sample-app-js does not support annotation on video screen
New issue checklist
- I have read all of the
README - I have searched existing issues and this is not a duplicate.
General information
- Library version(s):
- iOS/Android/Browser version(s):
- Devices/Simulators/Machine affected:
- Reproducible in the demo project? (Yes/No):
- Related issues:
Bug report
Expected behavior
...
Actual behavior
...
Steps to reproduce
...
Crash log? Screenshots? Videos? Sample project?
...
Question or Feature Request
...
moment-2.17.1.min.js: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - moment-2.17.1.min.js
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Vulnerabilities
| CVE | Severity | CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (moment version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2017-18214 | High |
7.5 | Not Defined | 0.2% | moment-2.17.1.min.js | Direct | moment - 2.19.3 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-18214
Vulnerable Library - moment-2.17.1.min.js
Parse, validate, manipulate, and display dates
Library home page: https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.17.1/moment.min.js
Path to dependency file: /vanilla-js-sample-app/public/index.html
Path to vulnerable library: /vanilla-js-sample-app/public/index.html
Dependency Hierarchy:
- ❌ moment-2.17.1.min.js (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-446m-mv8f-q348
Release Date: 2018-03-04
Fix Resolution: moment - 2.19.3
Can't parse the data of otCore.state() object
Hi, the accelerator-sample-apps are very helpful.
I'm using vanilla-js sample app and want to add image capture feature in it and for that I have THIS.
But, when I called otCore.state() this returned a object and for capture, we need to parse:
obj > subscribers > camera > DYNAMIC SUBSCRIBER > getImgData()
obj.subscribers.camera I'm parsing successfully but unable to parse next Dynamic subscriber id(its changing every time). then I try to do like subscribers.camera[0] . this also gives error.
Here is a screen shot of data that this object returning :
In this SS I'm testing with publishers object.
It sometimes gives cyclic object error then I serialize the object but after serializing, some keys and values missed.
help wanted. @maikthomas
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.