Hanno Böck

It's not an online scanner, it's scanning offline on the filesystem. I can test that even without an installation. The only issue here is that I have a database with information of the form "app X had its last security vuln Y that was fixed in Z". It seems right now there is no fixed version, so that's what I'm reporting. I can update it once you make a new release. See here how the data looks: https://git.schokokeks.org/freewvs.git/blob/master/freewvsdb/wiki.json

I'm not running phpwiki myself, I'm developing a tool that scans for vulnerable web applications [1]. [1] https://source.schokokeks.org/freewvs/

Cross Site Scripting vulnerability

Security vulnerabilities described on exploit-db

pam_mount uses deprecated openssl 1.1 features

Can I ask what the fix is? Your comment indicates this is an underlying thunderbird issue and can't be fixed within Enigmail.

I created a patch that fixes all those issues and a few more. Appart from the ones you mentioned it is also possible to achieve XSS via the formaction attribute or via svg animations (animate to attribute). I'm now adding a lot more filtering, but I believe this doesn't break any common html mails, as other webmailers apply similar filtering. I'm completely removing inline SVG (gmail does the same, so I don't think anyone uses them). Some of the filtering is now redundant, but it may help kill further...

I created a patch that fixes all those issues and a few more. Appart from the ones you mentioned it is also possible to achieve XSS via the formaction attribute or via svg animations (animate to attribute). I'm now adding a lot more filtering, but I believe this doesn't break any common html mails, as other webmailers apply similar filtering. I'm completely removing inline SVG (gmail does the same, so I don't think anyone uses them). Some of the filtering is now redundant, but it may help kill further...