CVE-2020-7676 – nodejs-angular: XSS due to regex-based HTML replacement
https://notcve.org/view.php?id=CVE-2020-7676
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code. angular.js versiones anteriores a 1.8.0, permite un ataque de tipo cross site scripting. El reemplazo de HTML de entradas basadas en expresiones regulares puede convertir el código saneado en uno no saneado. Al contener los elementos "" en los "" cambia el comportamiento del análisis, conllevando a un posible código de desaneamiento A XSS flaw was found in nodejs-angular. • https://github.com/ossf-cve-benchmark/CVE-2020-7676 https://github.com/angular/angular.js/pull/17028%2C https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-14863 – angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
https://notcve.org/view.php?id=CVE-2019-14863
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. Hay una vulnerabilidad en todas las versiones de angular anteriores a la versión 1.5.0-beta.0, donde después de escapar del contexto de la aplicación web, la aplicación web entrega datos a sus usuarios junto con otro contenido dinámico seguro, sin comprobarlo. A cross-site scripting (XSS) flaw was found in Angular. This flaw occurs due to improper sanitation of xlink:href attributes, which allows the web application to deliver data to users, along with other trusted content, without proper validation. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 https://snyk.io/vuln/npm:angular:20150807 https://access.redhat.com/security/cve/CVE-2019-14863 https://bugzilla.redhat.com/show_bug.cgi?id=1763589 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-10768 – AngularJS: Prototype pollution in merge function could result in code injection
https://notcve.org/view.php?id=CVE-2019-10768
In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. En AngularJS versiones anteriores a 1.7.9, la función "merge()" podría ser engañada para agregar o modificar propiedades de "Object.prototype" usando una carga útil de " __proto__". A prototype pollution vulnerability was found in AngularJS. A remote attacker could abuse this flaw by providing malicious input to the merge() function by overriding or adding properties of the Object.prototype, allowing possible injection of code. • https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E https://snyk.io/vuln/SNYK-JS-ANGULAR-534884 https://access.redhat.com/security/cve/CVE-2019-10768 https://bugzilla.redhat.com/show_bug.cgi?id=1813309 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •