AngularJS allows attackers to bypass common image source restrictions
- Severity:
- Low
Description
Improper sanitization of the value of the [srcset] attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 1.3.0-rc.4, <= 1.8.3
References
- GHSA-m9gf-397r-hwpg
- codepen.io
- www.herodevs.com
- security.netapp.com
- lists.debian.org
- CVE-2024-8372
- CWE-1289
- CAPEC-310
- OWASP 2021-A6
Related Issues
- AngularJS allows attackers to bypass common image source restrictions - angular - CVE-2024-8373
- Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server - CVE-2024-11023
- tiny-secp256k1 allows for verify() bypass when running in bundled environment - CVE-2024-49365
- happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
You might also like:
- Tags:
- npm
- angular
Anything's wrong? Let us know
Last updated on November 03, 2025