Hi team,
We are using Redash 7 and we have a requirement to upgrade the angular js version from 1.5.8 to 1.7.8, since current version of angular js is found vulnerable in testing. Could you please help us on this topic. Could you please confirm if the application is exploiting vulnerability in v1.5.8
Known issues
AngularJS Issue #11352 : https://github.com/angular/angular.js/issues/11352
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The $http function within Angular does not perform any security checks using $sce.RESOURCE_URL on the URLs that it receives. This could be leveraged by an attacker to conduct XSS attacks through JSONP callbacks.
AngularJS Issue #16288 : https://github.com/angular/angular.js/issues/16288
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Browsers mutate attributes values such as javascript:alert(1) when they are written to the DOM via innerHTML in various vendor specific ways. In Chrome (<62), this mutation removed the preceding “whitespace” resulting in a value that could end up being executed as JavaScript.
AngularJS Issue #11328: https://github.com/angular/angular.js/issues/11328
Affected versions of this package are vulnerable to JSONP Callback Attack. JSONP (JSON with padding) is a method used to request data from a server residing in a different domain than the client. Any url could perform JSONP requests, allowing full access to the browser and the JavaScript context. This can lead to Cross-site Scripting.
Thanks and Regards
Indu