4ndris
commented
2 years ago @elans3 Let me know if I can share any other detail that could help
Open 4ndris opened 2 years ago
4ndris
commented
2 years ago @elans3 Let me know if I can share any other detail that could help
elans3
commented
2 years ago Identified the issue and will be working addressing the issue.
@4ndris Working on the fix will be released by next week.
elans3
commented
1 year ago @4ndris this issue fixed in September release and version 2.5.3. Please confirm the same.
4ndris
commented
1 year ago @elans3 I see version 2.5.3 still suffer from CVE-2022-42003 Beyond:
elans3
commented
1 year ago @4ndris I will start looking at the issue. Can you share which security product that should i scan before I release?
4ndris
commented
1 year ago Hi @elans3 , do you have any update regarding this? Nexus-IQ you can use to reproduce Maybe any plan to replace this old version of angular?
elans3
commented
1 year ago Thanks @4ndris . Working and Keep you updated. Will remove older version of Angular as well.
elans3
commented
6 months ago I'm thrilled to announce that version 3.1.0 of the Virtualan plugin with Reactjs has been released, @4ndris. I took the liberty of removing the outdated AngularJS code. So, let's get excited and start using the latest and greatest version of the plugin!"
Thanks for the patience
Security analysis of the current virtualan-plugin detects a vulnerability in the third party js library angular 1.5.5. Nexus IQ identifies the threat with high-severity.
Issue sonatype-2016-0064 Severity Sonatype CVSS 38.5 CVE CVSS 2.00.0 Weakness Sonatype CWE79
Explanation The AngularJS framework is vulnerable to Remote Code Execution (RCE) and Cross-Site Scripting (XSS). The ensureSafeAssignContext() function in parse.js processes malicious expressions that access the constructors. A remote attacker can exploit this vulnerability by crafting malicious expressions that, when processed, result in execution of arbitrary code.
@elans3 Could you please review this? Thanks