I was recently made aware of an Upfront scan that flagged Angular as a security issue. This is on a 13.0.128 website. The only references I can find to Angular are for the admin's use of AngularJS. Would this end up bundled into any script/etc that would be included on the front-end site? I'm not sure if/why this would be flagged on the homepage when we do not look to be using Angular anywhere aside from the Kentico admin. I see the recent hotfix for 13.0.185, however, I do not think this will satisfy the Upfront scan. Full text of from Upfront below.
CVE-2021-4231 is a security flaw in Angular, specifically in versions up to 11.0.4 and 11.1.0-next.2, where the way comments are handled can be exploited to perform cross-site scripting (XSS) attacks. This type of attack allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to unauthorized access to user data or session hijacking. The vulnerability requires user interaction, meaning a victim would need to be tricked into taking some action for the exploit to be successful. The severity of this vulnerability is considered medium by the National Vulnerability Database (NVD) with a base score of 5.4, indicating that it poses a significant risk, but there are factors that mitigate the overall threat, such as the need for user interaction and low privileges required for an attack. The impact on confidentiality and integrity is rated as low, suggesting that an exploit would not necessarily lead to a significant compromise of data or system integrity.