nodemailer/wildduck

IMAP/POP3 server built with Node.js and MongoDB.

Vulnerabilities

2 via 2 paths

Dependencies

401

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity

Cryptographic Weakness

  • Vulnerable module: jsrsasign
  • Introduced through: mobileconfig@2.4.0

Detailed paths

  • Introduced through: wildduck@nodemailer/wildduck mobileconfig@2.4.0 jsrsasign@9.1.9

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Cryptographic Weakness. Invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid.

Remediation

Upgrade jsrsasign to version 10.1.13 or higher.

References

medium severity
new

Improper Input Validation

  • Vulnerable module: xmldom
  • Introduced through: mobileconfig@2.4.0

Detailed paths

  • Introduced through: wildduck@nodemailer/wildduck mobileconfig@2.4.0 plist@3.0.2 xmldom@0.5.0

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Improper Input Validation. It does not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Remediation

A fix was pushed into the master branch but not yet published.

References