You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is reproducible by adding a dependency on Lodash 4.17.21 in a skeleton Angular project.
I realize the difficulty in redacting this information since Lodash is a client-side Javascript utility library, but is there any way to configure Lodash to redact this information, or is it possible that it is not required and can be removed from Lodash?
How to test it?
Use console.log(.templateSettings.imports..templateSettings.imports._.VERSION); on the browser console
The text was updated successfully, but these errors were encountered:
If you are in a situation, where you can read the version via devtools, you already have code execution privileges.
If you are doing recon on another website e.g. to find vulns, you can just guess the version based on the source code (yes, even if minified). Or just try to exploit the issues straight away.
So it makes absolutely no sense to try to hide the version of a client-side library.
As documented at https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/version-disclosure-lodash/, Lodash makes its version accessible to the user through a browser's developer tools.
This is reproducible by adding a dependency on Lodash 4.17.21 in a skeleton Angular project.
I realize the difficulty in redacting this information since Lodash is a client-side Javascript utility library, but is there any way to configure Lodash to redact this information, or is it possible that it is not required and can be removed from Lodash?
How to test it?
Use console.log(.templateSettings.imports..templateSettings.imports._.VERSION); on the browser console
The text was updated successfully, but these errors were encountered: