AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes
- Severity:
- Medium
Description
Versions of angular prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize xlink:href attributes, which may allow attackers to execute arbitrary JavaScript in a victim’s browser if the value is user-controlled.
Recommendation
Update the angular package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.5.0-beta.1
- Patched version(s): 1.5.0-beta.1
References
- GHSA-r5fx-8r73-v86c
- bugzilla.redhat.com
- snyk.io
- www.npmjs.com
- CVE-2019-14863
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Materialize-css vulnerable to Cross-site Scripting in tooltip component - CVE-2019-11002
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- Cross-Site Scripting in serialize-to-js - CVE-2019-16772
- Cross-Site Scripting in serialize-javascript - CVE-2019-16769
You might also like:
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on January 27, 2023