Description
Improper sanitization of the value of the [srcset] attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 1.3.0-rc.4, <= 1.8.3
References
- GHSA-m9gf-397r-hwpg
- codepen.io
- www.herodevs.com
- security.netapp.com
- lists.debian.org
- CVE-2024-8372
- CWE-1289
- CAPEC-310
- OWASP 2021-A6
Related Issues
- AngularJS allows attackers to bypass common image source restrictions (GHSA-mqm9-c95h-x2p6) - CVE-2024-8373
- Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server - CVE-2024-11023
- tiny-secp256k1 allows for verify() bypass when running in bundled environment - CVE-2024-49365
- AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes - CVE-2019-14863
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on November 03, 2025