Yoga is a cross-platform layout engine enabling maximum collaboration within your team by implementing an API many designers are familiar with, and opening it up to developers across different platforms.
Path to dependency file: webrtc/packages/react-native/examples/calling-video-app/ios/Podfile.lock
Path to vulnerable library: webrtc/packages/react-native/examples/calling-video-app/ios/Podfile.lock,webrtc/packages/react-native/examples/calling-video-app/ios/Podfile.lock
CVE-2021-22878 - Medium Severity Vulnerability
Vulnerable Library - Yoga-1.14.0
Yoga is a cross-platform layout engine enabling maximum collaboration within your team by implementing an API many designers are familiar with, and opening it up to developers across different platforms.
Library home page: https://github.com/facebook/yoga/archive/1.14.0.zip
Path to dependency file: webrtc/packages/react-native/examples/calling-video-app/ios/Podfile.lock
Path to vulnerable library: webrtc/packages/react-native/examples/calling-video-app/ios/Podfile.lock,webrtc/packages/react-native/examples/calling-video-app/ios/Podfile.lock
Dependency Hierarchy: - :x: **Yoga-1.14.0** (Vulnerable Library)
Found in HEAD commit: 7addcf9cd729c9663018dc72c8fb345aad67bea4
Found in base branch: main
Vulnerability Details
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
Publish Date: 2021-03-03
URL: CVE-2021-22878
CVSS 3 Score Details (4.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nextcloud.com/security/advisory/?id=NC-SA-2021-005
Release Date: 2021-03-03
Fix Resolution: v20.0.6