Multiple CVEs in angular package about redis-ui HOT 12 CLOSED

@p3x-robot Looking forward to get a solution from the xlts team. Your support is awsome. I really appreciate, how you take security that seriously. 👍

from redis-ui.

those vulnerabilities do not apply to redis-ui-material. as we are not using those vulnerabilities, only the angular.copy, which i have replaced with lodash cloneDeep.

from redis-ui.

ref: https://xlts.dev/

from redis-ui.

GHSA-prc3-vjfx-vhm9: we do not support Internet Explorer (i think it does not even work with that), should it would give a problem, i will reject by the user agent

GHSA-2vrf-hf26-jrp5: in the next version we will not use angular.copy

GHSA-2qqx-w9hr-q5gx: we do not use the $resource function

GHSA-qwqh-hm9m-p5hr: we do not use the input[url]

from redis-ui.

you can check out: https://p3x.redis.patrikx3.com/ if you can crash it :)

from redis-ui.

contacted xlts.dev, they said:
Hi Patrik,

Thanks for reaching out!

From my understanding our support would fix these vulnerabilities that you listed. I've sent this off to our technical team to confirm and provide context.

I'll be in touch shortly with an answer for you.

Best,

from redis-ui.

@p3x-robot Thank you very much for your commitment.

I also stumbled upon the following CVEs:
CVE-2021-4231 --> I guess this is not relevant because it affects @angular/core, right?
CVE-2022-25844 --> This seems to be fixed in AngularJS 1.8.8 (https://xlts.dev/blog/2022-04-11-xlts-for-angularjs-1-8-8), but as far as I know you are still using 1.8.3, right?

from redis-ui.

@p3x-robot Thank you very much for your commitment.

I also stumbled upon the following CVEs: CVE-2021-4231 --> I guess this is not relevant because it affects @angular/core, right? CVE-2022-25844 --> This seems to be fixed in AngularJS 1.8.8 (https://xlts.dev/blog/2022-04-11-xlts-for-angularjs-1-8-8), but as far as I know you are still using 1.8.3, right?

GHSA-c75v-2vq8-878f - it is after Angular 2, so it is not relevant

for GHSA-m2h2-264f-f486, I talked to the xlts.dev team and even though it is an open source app, they look like will help

from redis-ui.

by the end, they can only help if you have money for it, but i think it is not using those function that give a DOS error

from redis-ui.

@p3x-robot Thank you very much for your commitment.

I also stumbled upon the following CVEs: CVE-2021-4231 --> I guess this is not relevant because it affects @angular/core, right? CVE-2022-25844 --> This seems to be fixed in AngularJS 1.8.8 (https://xlts.dev/blog/2022-04-11-xlts-for-angularjs-1-8-8), but as far as I know you are still using 1.8.3, right?

Sorry if I'm blind but, isn't the lastest version of AngularJS 1.8.2? I couldn't find any newer version (for instance the 1.8.8 you mentioned). I'm trying to clear the vulnerability for an application as well, a brief clarification would help, thanks.

from redis-ui.

they did not provide the latest Angular version, because it is not free anymore.

from redis-ui.

Reference:
https://github.com/patrikx3/redis-ui?tab=readme-ov-file#angularjs-vulnerabilities

from redis-ui.