szajbus
commented
1 year ago Hi @borisovara, thank you for reporting it.
This project is not actively maintained, buy if you can make a pull request upgrading AngularJS version, I'll be happy to merge it.
Open borisovara opened 1 year ago
szajbus
commented
1 year ago Hi @borisovara, thank you for reporting it.
This project is not actively maintained, buy if you can make a pull request upgrading AngularJS version, I'll be happy to merge it.
We have noticed that the used AngularJS version is pretty old and full of vulnerabilities.
Currently, AngularJS v1.0.6 version is used, here is a list with some of the vulnerabilities:
In AngularJS before 1.7.9 the function 'merge()' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.It would be highly appreciated if we can release a new version including angular upgrade.
As a bare minimum, AngularJS 1.8.0 should be used, IMO.