CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8372 – AngularJS improper sanitization in 'srcset' attribute
https://notcve.org/view.php?id=CVE-2024-8372
09 Sep 2024 — Improper sanitization of the value of the '[srcset]' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . Improper sanitizat... • https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017 • CWE-1289: Improper Validation of Unsafe Equivalence in Input •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 5CVE-2023-26116
https://notcve.org/view.php?id=CVE-2023-26116
30 Mar 2023 — Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 5CVE-2023-26118
https://notcve.org/view.php?id=CVE-2023-26118
30 Mar 2023 — Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 5CVE-2023-26117
https://notcve.org/view.php?id=CVE-2023-26117
30 Mar 2023 — Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 4CVE-2022-25869 – Cross-site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-25869
15 Jul 2022 — All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. Todas las versiones del paquete angular son vulnerables a un ataque de tipo Cross-site Scripting (XSS) debido al almacenamiento en caché no seguro de la página en el navegador Internet Explorer, que permite la interpolación de elementos (textarea) • https://glitch.com/edit/%23%21/angular-repro-textarea-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 5CVE-2022-25844 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2022-25844
01 May 2022 — The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher. El paquete angular versiones posteriores a 1.7.0 son vulnerables a una Denegación de Servicio por Expresión Regular (ReDoS) al ... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7676 – nodejs-angular: XSS due to regex-based HTML replacement
https://notcve.org/view.php?id=CVE-2020-7676
08 Jun 2020 — angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14863 – angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
https://notcve.org/view.php?id=CVE-2019-14863
03 Dec 2019 — There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. Hay una vulnerabilidad en todas las versiones de angular anteriores a la versión 1.5.0-beta.0, donde después de escapar del contexto de la aplicación web, la aplicación web entrega datos a sus usuarios junto con otro contenido dinámico seguro, sin comprobarlo. A cross-site... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10768 – AngularJS: Prototype pollution in merge function could result in code injection
https://notcve.org/view.php?id=CVE-2019-10768
19 Nov 2019 — In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. En AngularJS versiones anteriores a 1.7.9, la función "merge()" podría ser engañada para agregar o modificar propiedades de "Object.prototype" usando una carga útil de " __proto__". A prototype pollution vulnerability was found in AngularJS. A remote attacker could abuse this flaw by providing malicious input to the merge() function by overriding or adding ... • https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-16009
https://notcve.org/view.php?id=CVE-2017-16009
04 Jun 2018 — ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid. ag-grid es una cuadrícula de datos avanzada para diferentes bibliotecas.. ag-grid es vulnerable a Cross-Site Scripting (XSS) mediante expresiones angulares (Angular Expressions), si se emplea AngularJS en combinación con ag-grid. • https://github.com/ceolter/ag-grid/issues/1287 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •