Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WS-2018-0022 (Medium) detected in angular-sanitize-1.5.0.js #4724

Closed
mend-for-github-com bot opened this issue Aug 14, 2023 · 4 comments
Closed

WS-2018-0022 (Medium) detected in angular-sanitize-1.5.0.js #4724

mend-for-github-com bot opened this issue Aug 14, 2023 · 4 comments
Assignees
@ananzh
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

WS-2018-0022 - Medium Severity Vulnerability

Vulnerable Library - angular-sanitize-1.5.0.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.5.0/angular-sanitize.js

Path to dependency file: /node_modules/ui-select/docs-out/demo-tagging.html

Path to vulnerable library: /node_modules/ui-select/docs-out/demo-tagging.html,/node_modules/ui-select/docs/index.html,/node_modules/ui-select/docs-built/demo-object-as-source.html

Dependency Hierarchy:

  • angular-sanitize-1.5.0.js (Vulnerable Library)

Found in HEAD commit: 1674c97b7650cfe7549a39b0ce4527f9692c7b67

Found in base branch: main

Vulnerability Details

XSS vulnerability in angular.js (1.6.8 and before)

Publish Date: 2018-01-06

URL: WS-2018-0022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-01-06

Fix Resolution: 1.6.9
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Aug 14, 2023
@AMoo-Miki
Copy link
Collaborator

Probably needs a bump in ui-select

@ananzh
Copy link
Member

ananzh commented Aug 21, 2023
edited
Loading

The angular-sanitize module is specifically related to AngularJS, and it's used to sanitize HTML content. Currently it is used in legacy discover which we will remove in 2.10. There is another usage in tile_map

// TODO: Determine why visualizations don't populate without this
import 'angular-sanitize';

I think we should have map team to check on this. I will contact them and follow up here.

@ananzh
Copy link
Member

ananzh commented Oct 3, 2023

We have removed angularJS dependencies in main. Close this issue.

@ananzh ananzh closed this as completed Oct 3, 2023
@joshuarrrr
Copy link
Member

Resolved via #5086

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ananzh ananzh

Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joshuarrrr @AMoo-Miki @ananzh