search

RainLoop / rainloop-webmail

Simple, modern & fast web-based email client
http://rainloop.net
MIT License
4.07k stars 873 forks source link

CVE vulnerabilities on some JS libraries #2237

Open FerGT50 opened 7 months ago

FerGT50 commented 7 months ago

Hello, while scanning our webmail site (running latest RainLoop), we found some vulnerabilities. Updating relevant Javascript libraries should solve most of them: do you have this planned for an upcoming version? Thanks for your outstanding work!

RainLoop version, browser, OS: RainLoop v1.17.0, Linux Debian v11.8 x64, no browser involved

Expected behavior and actual behavior: Expected: no CVE vulnerabilities

Steps to reproduce the problem: Examining Javascript libraries used by Rainloop, we found the following CVE vulnerabilities:

jQuery UI 1.10.3 (latest is 1.13.2) CVE-2021-41184 CVE-2021-41182 CVE-2021-41183 CVE-2016-7103 CVE-2022-31160

Knockout 3.4.2 (latest is 3.5.1) CVE-2019-14863

Moment.js 2.29.1 (latest is 2.29.4) CVE-2022-31129 CVE-2022-24785

Logs or screenshots: RainLoop_webmail_vulnerabilities-1

jult commented 4 months ago

Has rainloop been deserted? Do we all need to leave to snappymail now?