CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8372 – AngularJS improper sanitization in 'srcset' attribute
https://notcve.org/view.php?id=CVE-2024-8372
09 Sep 2024 — Improper sanitization of the value of the '[srcset]' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . Improper sanitizat... • https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017 • CWE-1289: Improper Validation of Unsafe Equivalence in Input •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7676 – nodejs-angular: XSS due to regex-based HTML replacement
https://notcve.org/view.php?id=CVE-2020-7676
08 Jun 2020 — angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-14863 – angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
https://notcve.org/view.php?id=CVE-2019-14863
03 Dec 2019 — There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. Hay una vulnerabilidad en todas las versiones de angular anteriores a la versión 1.5.0-beta.0, donde después de escapar del contexto de la aplicación web, la aplicación web entrega datos a sus usuarios junto con otro contenido dinámico seguro, sin comprobarlo. A cross-site... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10768 – AngularJS: Prototype pollution in merge function could result in code injection
https://notcve.org/view.php?id=CVE-2019-10768
19 Nov 2019 — In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. En AngularJS versiones anteriores a 1.7.9, la función "merge()" podría ser engañada para agregar o modificar propiedades de "Object.prototype" usando una carga útil de " __proto__". A prototype pollution vulnerability was found in AngularJS. A remote attacker could abuse this flaw by providing malicious input to the merge() function by overriding or adding ... • https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •