*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-22912
### Vulnerable Library - plist-3.0.2.tgz
Mac OS X Plist parser/builder for Node.js and browsers
Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2022-02-17
Fix Resolution (plist): 3.0.6
Direct dependency fix Resolution (electron-builder): 22.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-27303
### Vulnerable Library - app-builder-lib-22.10.5.tgz
electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. A vulnerability that only affects eletron-builder prior to 24.13.2 in Windows, the NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. Version 24.13.2 fixes this issue. No known workaround exists. The code executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer.
Direct dependency fix Resolution (electron-builder): 24.13.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-33987
### Vulnerable Library - got-9.6.0.tgz
Direct dependency fix Resolution (electron-builder): 23.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32796
### Vulnerable Library - xmldom-0.5.0.tgz
A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/plist
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-39353
### Vulnerable Library - xmldom-0.5.0.tgzA pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmldom
Dependency Hierarchy: - electron-builder-22.10.5.tgz (Root Library) - dmg-builder-22.10.5.tgz - dmg-license-1.0.9.tgz - plist-3.0.2.tgz - :x: **xmldom-0.5.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsxmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
Publish Date: 2022-11-02
URL: CVE-2022-39353
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883
Release Date: 2022-11-02
Fix Resolution: @xmldom/xmldom - 0.7.7,0.8.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-22912
### Vulnerable Library - plist-3.0.2.tgzMac OS X Plist parser/builder for Node.js and browsers
Library home page: https://registry.npmjs.org/plist/-/plist-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/plist
Dependency Hierarchy: - electron-builder-22.10.5.tgz (Root Library) - dmg-builder-22.10.5.tgz - dmg-license-1.0.9.tgz - :x: **plist-3.0.2.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsPrototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.
Publish Date: 2022-02-17
URL: CVE-2022-22912
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-02-17
Fix Resolution (plist): 3.0.6
Direct dependency fix Resolution (electron-builder): 22.11.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-27303
### Vulnerable Library - app-builder-lib-22.10.5.tgzelectron-builder lib
Library home page: https://registry.npmjs.org/app-builder-lib/-/app-builder-lib-22.10.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/app-builder-lib
Dependency Hierarchy: - electron-builder-22.10.5.tgz (Root Library) - :x: **app-builder-lib-22.10.5.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailselectron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. A vulnerability that only affects eletron-builder prior to 24.13.2 in Windows, the NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. Version 24.13.2 fixes this issue. No known workaround exists. The code executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer.
Publish Date: 2024-03-06
URL: CVE-2024-27303
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/electron-userland/electron-builder/security/advisories/GHSA-r4pf-3v7r-hh55
Release Date: 2024-03-06
Fix Resolution (app-builder-lib): 24.13.2
Direct dependency fix Resolution (electron-builder): 24.13.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-33987
### Vulnerable Library - got-9.6.0.tgzSimplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/got
Dependency Hierarchy: - electron-builder-22.10.5.tgz (Root Library) - update-notifier-5.1.0.tgz - latest-version-5.1.0.tgz - package-json-6.5.0.tgz - :x: **got-9.6.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 11.8.6
Direct dependency fix Resolution (electron-builder): 23.5.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32796
### Vulnerable Library - xmldom-0.5.0.tgzA pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
Library home page: https://registry.npmjs.org/xmldom/-/xmldom-0.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/xmldom
Dependency Hierarchy: - electron-builder-22.10.5.tgz (Root Library) - dmg-builder-22.10.5.tgz - dmg-license-1.0.9.tgz - plist-3.0.2.tgz - :x: **xmldom-0.5.0.tgz** (Vulnerable Library)
Found in base branch: master
### Vulnerability Detailsxmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Publish Date: 2021-07-27
URL: CVE-2021-32796
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q
Release Date: 2021-07-27
Fix Resolution: @xmldom/xmldom - 0.7.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)