It noted that Angular 1.4.10 and JQuery 2.2.3 are in use, and that these both have known security issues.
I noted also it is possible to generate reports that trigger Angular expression parsing errors, so it might be possible to create a stored XSS issue via accessing constructors in Angular expressions, although I haven't demonstrate this. Migrating to a patched release of Angular may be easier than demonstrating Piwik isn't vulnerable to this (I'm still working out how I created parsing errors and will raise a ticket when I know).
I note also reports are only shown to the current owner, so this may not be usefully exploitable even if it is exploitable.
Thanks for the report. In https://github.com/piwik/piwik/pull/11021 we upgrade AngularJS but there was no change to the sanitize library, so we should be safe. We'll upgrade jquery in subsequent point release
We need to update all JS libraries used at some point. Would be great if you (or someone else) could help with this :+1:
what about jQuery update?
Our security tests don't like outdated libraries (jQuery 2.2.3) :|
will just open this again :)