Open 4ndris opened 2 years ago
@elans3 Let me know if I can share any other detail that could help
Identified the issue and will be working addressing the issue.
@4ndris Working on the fix will be released by next week.
@4ndris this issue fixed in September release and version 2.5.3. Please confirm the same.
@elans3 I see version 2.5.3 still suffer from CVE-2022-42003 Beyond:
@4ndris I will start looking at the issue. Can you share which security product that should i scan before I release?
Hi @elans3 , do you have any update regarding this? Nexus-IQ you can use to reproduce Maybe any plan to replace this old version of angular?
Thanks @4ndris . Working and Keep you updated. Will remove older version of Angular as well.
I'm thrilled to announce that version 3.1.0 of the Virtualan plugin with Reactjs has been released, @4ndris. I took the liberty of removing the outdated AngularJS code. So, let's get excited and start using the latest and greatest version of the plugin!"
Thanks for the patience
Security analysis of the current virtualan-plugin detects a vulnerability in the third party js library angular 1.5.5. Nexus IQ identifies the threat with high-severity.
Issue sonatype-2016-0064 Severity Sonatype CVSS 38.5 CVE CVSS 2.00.0 Weakness Sonatype CWE79
Explanation The AngularJS framework is vulnerable to Remote Code Execution (RCE) and Cross-Site Scripting (XSS). The ensureSafeAssignContext() function in parse.js processes malicious expressions that access the constructors. A remote attacker can exploit this vulnerability by crafting malicious expressions that, when processed, result in execution of arbitrary code.
@elans3 Could you please review this? Thanks