Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
vegard_bakke
Partner - Creator III
Partner - Creator III

Security vulnerabilities in Qlik Sense' AngularJS

Qlik Sense is using AngualrJS 1.5.8, which has four known security vulnerabilities:

* https://snyk.io/test/npm/angular/1.5.8?severity=high&severity=medium&severity=low

It mentions:

* Content security policy bypass

* Cross-site scripting (x2)

* JSONP callback attack

with Medium severity.

Does anyone know if Qlik Sense is also vulnerable to this attacks, or if Qlik has fixed them in their released version of AngularJS?

Cheers

1 Solution

Accepted Solutions
iue
Employee
Employee

Thanks for raising this question.

It is in our plans to update angularjs to a newer version.

View solution in original post

7 Replies
iue
Employee
Employee

Thanks for raising this question.

It is in our plans to update angularjs to a newer version.

vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Hoping for June 2018 release, according to Qlik Support.

(There are a few backwards compatibility issues with the newer angular, apperently. )

Anonymous
Not applicable

Any update on this?  Doesn't look like AngularJS was upgraded in June 2018 release of Qlik Sense.

iue
Employee
Employee

Kevin,

The September18-release will include an upgrade to AngularJS 1.6.9. Our plan is to continue to upgrade AngularJS, so we always are on the latest 1.X version. Next planned upgrade is 1.7.X.

Please let me know if you have other questions.

Thanks!

nob-ruin
Contributor
Contributor

Does this vulnerability affect the desktop version?

 

 

nob-ruin
Contributor
Contributor

Does this vulnerability affect the desktop version?

vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Qlik Sense Server November 2018 is still using Angular 1.5.8.  A bit of disappointment her.

 

Qlik Sense Desktop would most likely have the exact same versions of Angular, and vulnerabilities.

But the question is if it matters.  Are there anyone else than yourself using your Sense Desktop?
The vulnerabilities are mainly cross-site-scripting attacks.