The AngularJS version in use is outdated

[borisovara]

We have noticed that the used AngularJS version is pretty old and full of vulnerabilities.

Currently, AngularJS v1.0.6 version is used, here is a list with some of the vulnerabilities:

• CVE-2019-10768
  • Description: In AngularJS before 1.7.9 the function 'merge()' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
• CVE-2019-14863
  • Description: There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
• CVE-2020-7676
  • Description: angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.

It would be highly appreciated if we can release a new version including angular upgrade.

As a bare minimum, AngularJS 1.8.0 should be used, IMO.

[szajbus]

Hi @borisovara, thank you for reporting it.

This project is not actively maintained, buy if you can make a pull request upgrading AngularJS version, I'll be happy to merge it.