CVE-2024-21490
https://notcve.org/view.php?id=CVE-2024-21490
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core). • https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-6241746 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6241747 https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113 https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos https://support.herodevs.com/hc/en-us/articles/25715686953485-CVE-2024-21490-AngularJS-Regular-Expression-Denial-of-Service-ReDoS • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2023-34840
https://notcve.org/view.php?id=CVE-2023-34840
angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability. • https://github.com/Xh4H/CVE-2023-34840 http://alexcrack.com https://github.com/alexcrack/angular-ui-notification • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-28444 – angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend
https://notcve.org/view.php?id=CVE-2023-28444
angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deployment of an Angular based app, the environment variables based on the variables from ngssc.json are inserted into the apps index.html (or defined index file). With version 15.0.0 the environment variable detection was widened to the entire project, relative to the angular.json file from the Angular CLI. In a monorepo setup, this could lead to environment variables intended for a backend/service to be detected and written to the ngssc.json, which would then be populated and exposed via index.html. This has NO IMPACT, in a plain Angular project that has no backend component. • https://github.com/kyubisation/angular-server-side-configuration/commit/d701f51260637a84ede278e248934e0437a7ff86 https://github.com/kyubisation/angular-server-side-configuration/releases/tag/v15.1.0 https://github.com/kyubisation/angular-server-side-configuration/security/advisories/GHSA-gwvm-vrp4-4pp5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVE-2015-10035 – gperson angular-test-reporter data-server.js addTest sql injection
https://notcve.org/view.php?id=CVE-2015-10035
A vulnerability was found in gperson angular-test-reporter and classified as critical. This issue affects the function getProjectTables/addTest of the file rest-server/data-server.js. The manipulation leads to sql injection. The patch is named a29d8ae121b46ebfa96a55a9106466ab2ef166ae. It is recommended to apply a patch to fix this issue. • https://github.com/gperson/angular-test-reporter/commit/a29d8ae121b46ebfa96a55a9106466ab2ef166ae https://vuldb.com/?ctiid.217715 https://vuldb.com/?id.217715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-4231 – Angular Comment cross site scripting
https://notcve.org/view.php?id=CVE-2021-4231
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. • https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09 https://github.com/angular/angular/issues/40136 https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902 https://vuldb.com/?id.181356 https://access.redhat.com/security/cve/CVE-2021-4231 https://bugzilla.redhat.com/show_bug.cgi?id=2094052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •