Open Atrium includes AngularJS version 1.3.7, bundled directly within its custom Angular module, not loaded via Drupal’s libraries system.
This version of AngularJS is vulnerable and multiple CVEs exist between 1.3.7 and 1.8.3, covering risks like XSS, ReDoS, and content spoofing.
There is significant complexity in the changes between the bundled and currently-supported versions of AngularJS, and the risk of breaking existing custom integrations is high. Tag1 D7ES is marking the D7 version of OA Angular as insecure. Projects that depend on OA Angular, including OA Sitemap and OA Files, have been marked as unsupported.
Recommendation: Site owners should review their usage of affected projects and make a remediation plan. Uninstalling OA Angular is recommended. If that is not an option, please reach out to Tag1 to discuss alternatives.