Search criteria
33 vulnerabilities found for angularjs by angularjs
FKIE_CVE-2024-8372
Vulnerability from fkie_nvd - Published: 2024-09-09 15:15 - Updated: 2025-11-20 18:00
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| angularjs | angularjs | 1.3.0 | |
| angularjs | angularjs | 1.3.0 | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56693676-5347-4C6D-9FF2-977DE554B1E9",
"versionEndIncluding": "1.8.3",
"versionStartIncluding": "1.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:1.3.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "803A1BC5-B392-4540-8B22-2E5D66A3293D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:1.3.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "A5995620-3E19-48EC-964E-7B0C4794CF85",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
"matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*",
"matchCriteriaId": "E8F29E19-3A64-4426-A2AA-F169440267CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
"matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of the value of the \u0027srcset\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
},
{
"lang": "es",
"value": "La desinfecci\u00f3n incorrecta del valor del atributo \u0027[srcset]\u0027 en AngularJS permite a los atacantes eludir las restricciones comunes de origen de im\u00e1genes, lo que tambi\u00e9n puede provocar una forma de suplantaci\u00f3n de contenido https://owasp.org/www-community/attacks/Content_Spoofing . Este problema afecta a las versiones 1.3.0-rc.4 y posteriores de AngularJS. Nota: El proyecto AngularJS ha llegado al final de su vida \u00fatil y no recibir\u00e1 ninguna actualizaci\u00f3n para solucionar este problema. Para obtener m\u00e1s informaci\u00f3n, consulte aqu\u00ed https://docs.angularjs.org/misc/version-support-status ."
}
],
"id": "CVE-2024-8372",
"lastModified": "2025-11-20T18:00:14.787",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-09T15:15:12.560",
"references": [
{
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017"
},
{
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20241122-0002/"
}
],
"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1289"
}
],
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8373
Vulnerability from fkie_nvd - Published: 2024-09-09 15:15 - Updated: 2025-11-20 18:00
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "325E6EA3-5991-4F81-955F-519C0FEAAA8A",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
"matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*",
"matchCriteriaId": "E8F29E19-3A64-4426-A2AA-F169440267CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
"matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of the value of the [srcset] attribute in \u003csource\u003e HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
},
{
"lang": "es",
"value": "La desinfecci\u00f3n incorrecta del valor del atributo [srcset] en los elementos HTML en AngularJS permite a los atacantes eludir las restricciones comunes de origen de las im\u00e1genes, lo que tambi\u00e9n puede provocar una forma de suplantaci\u00f3n de contenido https://owasp.org/www-community/attacks/Content_Spoofing . Este problema afecta a todas las versiones de AngularJS. Nota: El proyecto AngularJS ha llegado al final de su vida \u00fatil y no recibir\u00e1 ninguna actualizaci\u00f3n para solucionar este problema. Para obtener m\u00e1s informaci\u00f3n, consulte aqu\u00ed https://docs.angularjs.org/misc/version-support-status."
}
],
"id": "CVE-2024-8373",
"lastModified": "2025-11-20T18:00:14.787",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-09T15:15:12.887",
"references": [
{
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b"
},
{
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20241122-0003/"
}
],
"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-791"
}
],
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-26118
Vulnerability from fkie_nvd - Published: 2023-03-30 05:15 - Updated: 2025-11-20 17:53
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| fedoraproject | fedora | 38 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB17233C-A20B-4182-B8EC-652759FA193C",
"versionEndIncluding": "1.8.3",
"versionStartIncluding": "1.4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the \u003cinput type=\"url\"\u003e element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"id": "CVE-2023-26118",
"lastModified": "2025-11-20T17:53:57.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-30T05:15:07.750",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "report@snyk.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-26117
Vulnerability from fkie_nvd - Published: 2023-03-30 05:15 - Updated: 2025-11-20 17:53
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| fedoraproject | fedora | 38 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C545C186-F584-48D6-8776-5244F9DA372E",
"versionEndIncluding": "1.8.3",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"id": "CVE-2023-26117",
"lastModified": "2025-11-20T17:53:57.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-30T05:15:07.687",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "report@snyk.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-26116
Vulnerability from fkie_nvd - Published: 2023-03-30 05:15 - Updated: 2025-11-20 17:53
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| fedoraproject | fedora | 38 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E36CFFF-D4D0-42F9-A38A-4BC77852642C",
"versionEndIncluding": "1.8.3",
"versionStartIncluding": "1.2.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"id": "CVE-2023-26116",
"lastModified": "2025-11-20T17:53:57.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-30T05:15:07.410",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "report@snyk.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-25869
Vulnerability from fkie_nvd - Published: 2022-07-15 20:15 - Updated: 2025-11-20 17:53
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F696B5B0-AAD1-4876-8AC0-3113503B2460",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of \u003ctextarea\u003e elements."
},
{
"lang": "es",
"value": "Todas las versiones del paquete angular son vulnerables a un ataque de tipo Cross-site Scripting (XSS) debido al almacenamiento en cach\u00e9 no seguro de la p\u00e1gina en el navegador Internet Explorer, que permite la interpolaci\u00f3n de elementos (textarea)"
}
],
"id": "CVE-2022-25869",
"lastModified": "2025-11-20T17:53:57.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-15T20:15:08.487",
"references": [
{
"source": "report@snyk.io",
"url": "https://neverendingsupport.github.io/angularjs-poc-cve-2022-25869"
},
{
"source": "report@snyk.io",
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJS-10771617"
},
{
"source": "report@snyk.io",
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJSCORE-6084031"
},
{
"source": "report@snyk.io",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2949783"
},
{
"source": "report@snyk.io",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2949784"
},
{
"source": "report@snyk.io",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782"
},
{
"source": "report@snyk.io",
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://glitch.com/edit/%23%21/angular-repro-textarea-xss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2949783"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2949784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2949781"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "report@snyk.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-4231
Vulnerability from fkie_nvd - Published: 2022-05-26 14:15 - Updated: 2025-11-20 20:45
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09 | Patch, Third Party Advisory | |
| cna@vuldb.com | https://github.com/angular/angular/issues/40136 | Third Party Advisory | |
| cna@vuldb.com | https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.181356 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/angular/angular/issues/40136 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.181356 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angular:angular:11.1.0:next0:*:*:*:*:*:*",
"matchCriteriaId": "5BEA3D53-459D-4784-83D8-7E3A757CDB68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angular:angular:11.1.0:next1:*:*:*:*:*:*",
"matchCriteriaId": "88DC793C-B321-4474-ACE1-E24CA2D259E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angular:angular:11.1.0:next2:*:*:*:*:*:*",
"matchCriteriaId": "693B2F9E-936B-4EAB-ABD1-80E8AF65D1DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D50312C-DE0C-4B52-9DD8-BD5DB772B31B",
"versionEndExcluding": "11.0.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad en Angular versiones hasta 11.0.4/11.1.0-next.2. Ha sido clasificada como problem\u00e1tica. Est\u00e1 afectada la manipulaci\u00f3n de los comentarios. La manipulaci\u00f3n conlleva a un ataque de tipo cross site scripting. Es posible lanzar el ataque de forma remota, pero podr\u00eda requerir una autenticaci\u00f3n previa. La actualizaci\u00f3n a versiones 11.0.5 y 11.1.0-next.3 puede abordar este problema. El nombre del parche es ba8da742e3b243e8f43d4c63aa842b44e14f2b09. Es recomendado actualizar el componente afectado"
}
],
"id": "CVE-2021-4231",
"lastModified": "2025-11-20T20:45:30.863",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-26T14:15:07.953",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/angular/angular/issues/40136"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.181356"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/angular/angular/issues/40136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.181356"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-25844
Vulnerability from fkie_nvd - Published: 2022-05-01 16:15 - Updated: 2025-11-20 17:53
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| fedoraproject | fedora | 35 | |
| fedoraproject | fedora | 36 | |
| netapp | ontap_select_deploy_administration_utility | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4D138A72-F90D-40F9-AE60-4A76E71B0A7C",
"versionStartIncluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: \u0027 \u0027.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher."
},
{
"lang": "es",
"value": "El paquete angular versiones posteriores a 1.7.0 son vulnerables a una Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular (ReDoS) al proporcionar una regla de localizaci\u00f3n personalizada que permite asignar el par\u00e1metro en posPre: \" \".repeat() de NUMBER_FORMATS.PATTERNS[1].posPre con un valor muy alto. **Nota:** 1) Este paquete ha quedado obsoleto y ya no es mantenido. 2) Las versiones vulnerables son 1.7.0 y superiores"
}
],
"id": "CVE-2022-25844",
"lastModified": "2025-11-20T17:53:57.180",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-01T16:15:08.767",
"references": [
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/"
},
{
"source": "report@snyk.io",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0009/"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0009/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-7676
Vulnerability from fkie_nvd - Published: 2020-06-08 14:15 - Updated: 2025-11-20 18:00
Severity ?
Summary
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "608A2675-9724-45AD-9EC0-8A7E648A137D",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"\u003coption\u003e\" elements in \"\u003cselect\u003e\" ones changes parsing behavior, leading to possibly unsanitizing code."
},
{
"lang": "es",
"value": "angular.js versiones anteriores a 1.8.0, permite un ataque de tipo cross site scripting. El reemplazo de HTML de entradas basadas en expresiones regulares puede convertir el c\u00f3digo saneado en uno no saneado. Al contener los elementos \"\" en los \"\" cambia el comportamiento del an\u00e1lisis, conllevando a un posible c\u00f3digo de desaneamiento"
}
],
"id": "CVE-2020-7676",
"lastModified": "2025-11-20T18:00:14.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-08T14:15:13.133",
"references": [
{
"source": "report@snyk.io",
"url": "https://github.com/angular/angular.js/pull/17028%2C"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "report@snyk.io",
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "report@snyk.io",
"tags": [
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/angular/angular.js/pull/17028%2C"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-14863
Vulnerability from fkie_nvd - Published: 2020-01-02 15:15 - Updated: 2025-11-20 18:00
Severity ?
Summary
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://snyk.io/vuln/npm:angular:20150807 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://snyk.io/vuln/npm:angular:20150807 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| redhat | decision_manager | 7.0 | |
| redhat | process_automation | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23561F6A-9A4E-49C9-94BE-DEEDC4C6F176",
"versionEndIncluding": "1.4.14",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "68146098-58F8-417E-B165-5182527117C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it."
},
{
"lang": "es",
"value": "Hay una vulnerabilidad en todas las versiones de angular anteriores a la versi\u00f3n 1.5.0-beta.0, donde despu\u00e9s de escapar del contexto de la aplicaci\u00f3n web, la aplicaci\u00f3n web entrega datos a sus usuarios junto con otro contenido din\u00e1mico seguro, sin comprobarlo."
}
],
"id": "CVE-2019-14863",
"lastModified": "2025-11-20T18:00:14.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-02T15:15:12.193",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/npm:angular:20150807"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/npm:angular:20150807"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-8373 (GCVE-0-2024-8373)
Vulnerability from cvelistv5 – Published: 2024-09-09 14:48 – Updated: 2025-11-03 19:34
VLAI?
Summary
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Severity ?
4.8 (Medium)
CWE
- CWE-791 - Incomplete Filtering of Special Elements
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
George Kalpakas
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "angular.js",
"vendor": "angularjs",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8373",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:04:03.093398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:06:07.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:59.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0003/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "angular",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"status": "affected",
"version": "\u003e=0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper sanitization of the value of the \u003ctt\u003e[srcset]\u003c/tt\u003e attribute in \u003ctt\u003e\u0026lt;source\u0026gt;\u003c/tt\u003e HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\"\u003eContent Spoofing\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThis issue affects all versions of AngularJS.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "Improper sanitization of the value of the [srcset] attribute in \u003csource\u003e HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
},
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-791",
"description": "CWE-791: Incomplete Filtering of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:39:12.299Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS improper sanitization in \u0027\u003csource\u003e\u0027 element",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-8373",
"datePublished": "2024-09-09T14:48:41.513Z",
"dateReserved": "2024-09-02T08:44:29.571Z",
"dateUpdated": "2025-11-03T19:34:59.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8372 (GCVE-0-2024-8372)
Vulnerability from cvelistv5 – Published: 2024-09-09 14:46 – Updated: 2025-11-03 19:34
VLAI?
Summary
Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Severity ?
4.8 (Medium)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
George Kalpakas
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "angular.js",
"vendor": "angularjs",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.3.0-rc.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8372",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:06:37.579433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:07:26.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:58.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0002/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "angular",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"status": "affected",
"version": "\u003e=1.3.0-rc.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper sanitization of the value of the \u0027\u003ctt\u003esrcset\u003c/tt\u003e\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\"\u003eContent Spoofing\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "Improper sanitization of the value of the \u0027srcset\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
},
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:39:48.004Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS improper sanitization in \u0027srcset\u0027 attribute",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-8372",
"datePublished": "2024-09-09T14:46:03.134Z",
"dateReserved": "2024-09-02T08:44:11.786Z",
"dateUpdated": "2025-11-03T19:34:58.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-26116 (GCVE-0-2023-26116)
Vulnerability from cvelistv5 – Published: 2023-03-30 05:00 – Updated: 2025-11-03 19:28
VLAI?
Summary
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Severity ?
5.3 (Medium)
CWE
- CWE-1333 - Regular Expression Denial of Service (ReDoS)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
1.2.21 , < *
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
George Kalpakas
Michael Prentice
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:05.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26116",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:36:07.312218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:36:16.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.2.21",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.2.21",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.2.23",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "George Kalpakas"
},
{
"lang": "en",
"value": "Michael Prentice"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:37.677Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322"
},
{
"url": "https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26116",
"datePublished": "2023-03-30T05:00:03.402Z",
"dateReserved": "2023-02-20T10:28:48.923Z",
"dateUpdated": "2025-11-03T19:28:05.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-26118 (GCVE-0-2023-26118)
Vulnerability from cvelistv5 – Published: 2023-03-30 05:00 – Updated: 2025-11-03 19:28
VLAI?
Summary
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Severity ?
5.3 (Medium)
CWE
- CWE-1333 - Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
1.4.9 , < *
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Michael Prentice
George Kalpakas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:08.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26118",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:33.331520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:37:39.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.4.9",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.4.9",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.4.9",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
},
{
"lang": "en",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the \u003cinput type=\"url\"\u003e element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:39.373Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328"
},
{
"url": "https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26118",
"datePublished": "2023-03-30T05:00:02.352Z",
"dateReserved": "2023-02-20T10:28:48.923Z",
"dateUpdated": "2025-11-03T19:28:08.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-26117 (GCVE-0-2023-26117)
Vulnerability from cvelistv5 – Published: 2023-03-30 05:00 – Updated: 2025-11-03 19:28
VLAI?
Summary
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Severity ?
5.3 (Medium)
CWE
- CWE-1333 - Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
1.0.0 , < *
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Michael Prentice
George Kalpakas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:07.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26117",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:38:00.220683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:38:14.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
},
{
"lang": "en",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:35.924Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325"
},
{
"url": "https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26117",
"datePublished": "2023-03-30T05:00:01.348Z",
"dateReserved": "2023-02-20T10:28:48.923Z",
"dateUpdated": "2025-11-03T19:28:07.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25869 (GCVE-0-2022-25869)
Vulnerability from cvelistv5 – Published: 2022-07-15 20:02 – Updated: 2025-07-28 09:59
VLAI?
Summary
All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.
Severity ?
4.2 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
0 , < *
(semver)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Credits
Michael Prentice
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2949781"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2949783"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2949784"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://glitch.com/edit/%23%21/angular-repro-textarea-xss"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "AngularJS.Core",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "angularjs",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
}
],
"descriptions": [
{
"lang": "en",
"value": "All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of \u003ctextarea\u003e elements."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T09:59:04.148Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2949783"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2949784"
},
{
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJSCORE-6084031"
},
{
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJS-10771617"
},
{
"url": "https://neverendingsupport.github.io/angularjs-poc-cve-2022-25869"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25869",
"datePublished": "2022-07-15T20:02:02.727939Z",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2025-07-28T09:59:04.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4231 (GCVE-0-2021-4231)
Vulnerability from cvelistv5 – Published: 2022-05-26 07:10 – Updated: 2025-04-15 14:38
VLAI?
Summary
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.
Severity ?
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | Angular |
Affected:
11.0.0
Affected: 11.0.1 Affected: 11.0.2 Affected: 11.0.3 Affected: 11.0.4 Affected: 11.1.0-next.0 Affected: 11.1.0-next.1 Affected: 11.1.0-next.2 |
Credits
Miško Hevery
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/angular/angular/issues/40136"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.181356"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:14:41.857765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:38:13.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Angular",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "11.0.0"
},
{
"status": "affected",
"version": "11.0.1"
},
{
"status": "affected",
"version": "11.0.2"
},
{
"status": "affected",
"version": "11.0.3"
},
{
"status": "affected",
"version": "11.0.4"
},
{
"status": "affected",
"version": "11.1.0-next.0"
},
{
"status": "affected",
"version": "11.1.0-next.1"
},
{
"status": "affected",
"version": "11.1.0-next.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mi\u0161ko Hevery"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-26T07:10:14.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular/issues/40136"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.181356"
}
],
"title": "Angular Comment cross site scripting",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2021-4231",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "Angular Comment cross site scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Angular",
"version": {
"version_data": [
{
"version_value": "11.0.0"
},
{
"version_value": "11.0.1"
},
{
"version_value": "11.0.2"
},
{
"version_value": "11.0.3"
},
{
"version_value": "11.0.4"
},
{
"version_value": "11.1.0-next.0"
},
{
"version_value": "11.1.0-next.1"
},
{
"version_value": "11.1.0-next.2"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Mi\u0161ko Hevery",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "3.5",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/angular/angular/issues/40136",
"refsource": "MISC",
"url": "https://github.com/angular/angular/issues/40136"
},
{
"name": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09",
"refsource": "MISC",
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"name": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"name": "https://vuldb.com/?id.181356",
"refsource": "MISC",
"url": "https://vuldb.com/?id.181356"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4231",
"datePublished": "2022-05-26T07:10:14.000Z",
"dateReserved": "2022-05-26T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:38:13.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25844 (GCVE-0-2022-25844)
Vulnerability from cvelistv5 – Published: 2022-05-01 15:25 – Updated: 2025-11-03 19:26
VLAI?
Summary
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
Severity ?
5.3 (Medium)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
Credits
Michael Prentice
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:56.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0009/"
},
{
"name": "FEDORA-2022-e016e6f445",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/"
},
{
"name": "FEDORA-2022-edf635cf39",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "next of 1.7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
}
],
"datePublic": "2022-05-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: \u0027 \u0027.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "FUNCTIONAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T00:00:00.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
},
{
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
},
{
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
},
{
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
},
{
"url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220629-0009/"
},
{
"name": "FEDORA-2022-e016e6f445",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/"
},
{
"name": "FEDORA-2022-edf635cf39",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/"
}
],
"title": "Regular Expression Denial of Service (ReDoS)"
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25844",
"datePublished": "2022-05-01T15:25:32.752Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:56.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-7676 (GCVE-0-2020-7676)
Vulnerability from cvelistv5 – Published: 2020-06-08 13:34 – Updated: 2024-08-04 09:41
VLAI?
Summary
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.
Severity ?
No CVSS data available.
CWE
- Cross-site Scripting
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | angular.js |
Affected:
All versions prior to 1.8.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:01.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/angular/angular.js/pull/17028%2C"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] vivekratnavel opened a new pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Created] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] dineshchitlangia commented on a change in pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201007 [GitHub] [hadoop-ozone] vivekratnavel commented on pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-commits] 20201008 [hadoop-ozone] branch master updated: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676 (#1481)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201009 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular.js",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"\u003coption\u003e\" elements in \"\u003cselect\u003e\" ones changes parsing behavior, leading to possibly unsanitizing code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-09T15:06:12",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular.js/pull/17028%2C"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] vivekratnavel opened a new pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Created] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] dineshchitlangia commented on a change in pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201007 [GitHub] [hadoop-ozone] vivekratnavel commented on pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-commits] 20201008 [hadoop-ozone] branch master updated: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676 (#1481)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201009 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2020-7676",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "angular.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to 1.8.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"\u003coption\u003e\" elements in \"\u003cselect\u003e\" ones changes parsing behavior, leading to possibly unsanitizing code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/angular/angular.js/pull/17028,",
"refsource": "MISC",
"url": "https://github.com/angular/angular.js/pull/17028,"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] vivekratnavel opened a new pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Created] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] dineshchitlangia commented on a change in pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201007 [GitHub] [hadoop-ozone] vivekratnavel commented on pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-commits] 20201008 [hadoop-ozone] branch master updated: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676 (#1481)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201009 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7676",
"datePublished": "2020-06-08T13:34:09",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-08-04T09:41:01.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14863 (GCVE-0-2019-14863)
Vulnerability from cvelistv5 – Published: 2020-01-02 14:20 – Updated: 2024-08-05 00:26
VLAI?
Summary
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Severity ?
7.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/npm:angular:20150807"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular:",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "all angular versions before 1.5.0-beta.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T14:20:50",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/npm:angular:20150807"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "angular:",
"version": {
"version_data": [
{
"version_value": "all angular versions before 1.5.0-beta.0"
}
]
}
}
]
},
"vendor_name": "Red Hat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "7.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"name": "https://snyk.io/vuln/npm:angular:20150807",
"refsource": "MISC",
"url": "https://snyk.io/vuln/npm:angular:20150807"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14863",
"datePublished": "2020-01-02T14:20:50",
"dateReserved": "2019-08-10T00:00:00",
"dateUpdated": "2024-08-05T00:26:39.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8373 (GCVE-0-2024-8373)
Vulnerability from nvd – Published: 2024-09-09 14:48 – Updated: 2025-11-03 19:34
VLAI?
Summary
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Severity ?
4.8 (Medium)
CWE
- CWE-791 - Incomplete Filtering of Special Elements
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
George Kalpakas
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "angular.js",
"vendor": "angularjs",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8373",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:04:03.093398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:06:07.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:59.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0003/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "angular",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"status": "affected",
"version": "\u003e=0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper sanitization of the value of the \u003ctt\u003e[srcset]\u003c/tt\u003e attribute in \u003ctt\u003e\u0026lt;source\u0026gt;\u003c/tt\u003e HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\"\u003eContent Spoofing\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThis issue affects all versions of AngularJS.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "Improper sanitization of the value of the [srcset] attribute in \u003csource\u003e HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
},
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-791",
"description": "CWE-791: Incomplete Filtering of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:39:12.299Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS improper sanitization in \u0027\u003csource\u003e\u0027 element",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-8373",
"datePublished": "2024-09-09T14:48:41.513Z",
"dateReserved": "2024-09-02T08:44:29.571Z",
"dateUpdated": "2025-11-03T19:34:59.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8372 (GCVE-0-2024-8372)
Vulnerability from nvd – Published: 2024-09-09 14:46 – Updated: 2025-11-03 19:34
VLAI?
Summary
Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Severity ?
4.8 (Medium)
CWE
- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
George Kalpakas
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "angular.js",
"vendor": "angularjs",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.3.0-rc.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8372",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:06:37.579433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:07:26.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:58.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0002/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "angular",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"status": "affected",
"version": "\u003e=1.3.0-rc.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper sanitization of the value of the \u0027\u003ctt\u003esrcset\u003c/tt\u003e\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\"\u003eContent Spoofing\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "Improper sanitization of the value of the \u0027srcset\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
},
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:39:48.004Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS improper sanitization in \u0027srcset\u0027 attribute",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-8372",
"datePublished": "2024-09-09T14:46:03.134Z",
"dateReserved": "2024-09-02T08:44:11.786Z",
"dateUpdated": "2025-11-03T19:34:58.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-26116 (GCVE-0-2023-26116)
Vulnerability from nvd – Published: 2023-03-30 05:00 – Updated: 2025-11-03 19:28
VLAI?
Summary
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Severity ?
5.3 (Medium)
CWE
- CWE-1333 - Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
1.2.21 , < *
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
George Kalpakas
Michael Prentice
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:05.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26116",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:36:07.312218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:36:16.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.2.21",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.2.21",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.2.23",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "George Kalpakas"
},
{
"lang": "en",
"value": "Michael Prentice"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:37.677Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406320"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406321"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406322"
},
{
"url": "https://stackblitz.com/edit/angularjs-vulnerability-angular-copy-redos"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26116",
"datePublished": "2023-03-30T05:00:03.402Z",
"dateReserved": "2023-02-20T10:28:48.923Z",
"dateUpdated": "2025-11-03T19:28:05.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-26118 (GCVE-0-2023-26118)
Vulnerability from nvd – Published: 2023-03-30 05:00 – Updated: 2025-11-03 19:28
VLAI?
Summary
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Severity ?
5.3 (Medium)
CWE
- CWE-1333 - Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
1.4.9 , < *
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Michael Prentice
George Kalpakas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:08.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26118",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:33.331520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:37:39.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.4.9",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.4.9",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.4.9",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
},
{
"lang": "en",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the \u003cinput type=\"url\"\u003e element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:39.373Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328"
},
{
"url": "https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26118",
"datePublished": "2023-03-30T05:00:02.352Z",
"dateReserved": "2023-02-20T10:28:48.923Z",
"dateUpdated": "2025-11-03T19:28:08.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-26117 (GCVE-0-2023-26117)
Vulnerability from nvd – Published: 2023-03-30 05:00 – Updated: 2025-11-03 19:28
VLAI?
Summary
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Severity ?
5.3 (Medium)
CWE
- CWE-1333 - Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
1.0.0 , < *
(semver)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Michael Prentice
George Kalpakas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:07.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26117",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:38:00.220683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:38:14.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
},
{
"lang": "en",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:35.924Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406323"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406324"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406325"
},
{
"url": "https://stackblitz.com/edit/angularjs-vulnerability-resource-trailing-slashes-redos"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26117",
"datePublished": "2023-03-30T05:00:01.348Z",
"dateReserved": "2023-02-20T10:28:48.923Z",
"dateUpdated": "2025-11-03T19:28:07.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25869 (GCVE-0-2022-25869)
Vulnerability from nvd – Published: 2022-07-15 20:02 – Updated: 2025-07-28 09:59
VLAI?
Summary
All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.
Severity ?
4.2 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | angular |
Affected:
0 , < *
(semver)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
Credits
Michael Prentice
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2949781"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2949783"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2949784"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://glitch.com/edit/%23%21/angular-repro-textarea-xss"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.npm:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bower:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "org.webjars.bowergithub.angular:angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "AngularJS.Core",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"product": "angularjs",
"vendor": "n/a",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
}
],
"descriptions": [
{
"lang": "en",
"value": "All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of \u003ctextarea\u003e elements."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T09:59:04.148Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2949783"
},
{
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2949784"
},
{
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJSCORE-6084031"
},
{
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJS-10771617"
},
{
"url": "https://neverendingsupport.github.io/angularjs-poc-cve-2022-25869"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25869",
"datePublished": "2022-07-15T20:02:02.727939Z",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2025-07-28T09:59:04.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4231 (GCVE-0-2021-4231)
Vulnerability from nvd – Published: 2022-05-26 07:10 – Updated: 2025-04-15 14:38
VLAI?
Summary
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.
Severity ?
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | Angular |
Affected:
11.0.0
Affected: 11.0.1 Affected: 11.0.2 Affected: 11.0.3 Affected: 11.0.4 Affected: 11.1.0-next.0 Affected: 11.1.0-next.1 Affected: 11.1.0-next.2 |
Credits
Miško Hevery
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.322Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/angular/angular/issues/40136"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.181356"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:14:41.857765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:38:13.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Angular",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "11.0.0"
},
{
"status": "affected",
"version": "11.0.1"
},
{
"status": "affected",
"version": "11.0.2"
},
{
"status": "affected",
"version": "11.0.3"
},
{
"status": "affected",
"version": "11.0.4"
},
{
"status": "affected",
"version": "11.1.0-next.0"
},
{
"status": "affected",
"version": "11.1.0-next.1"
},
{
"status": "affected",
"version": "11.1.0-next.2"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mi\u0161ko Hevery"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-26T07:10:14.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular/issues/40136"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.181356"
}
],
"title": "Angular Comment cross site scripting",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2021-4231",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "Angular Comment cross site scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Angular",
"version": {
"version_data": [
{
"version_value": "11.0.0"
},
{
"version_value": "11.0.1"
},
{
"version_value": "11.0.2"
},
{
"version_value": "11.0.3"
},
{
"version_value": "11.0.4"
},
{
"version_value": "11.1.0-next.0"
},
{
"version_value": "11.1.0-next.1"
},
{
"version_value": "11.1.0-next.2"
}
]
}
}
]
},
"vendor_name": ""
}
]
}
},
"credit": "Mi\u0161ko Hevery",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "3.5",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/angular/angular/issues/40136",
"refsource": "MISC",
"url": "https://github.com/angular/angular/issues/40136"
},
{
"name": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09",
"refsource": "MISC",
"url": "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09"
},
{
"name": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902"
},
{
"name": "https://vuldb.com/?id.181356",
"refsource": "MISC",
"url": "https://vuldb.com/?id.181356"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4231",
"datePublished": "2022-05-26T07:10:14.000Z",
"dateReserved": "2022-05-26T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:38:13.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25844 (GCVE-0-2022-25844)
Vulnerability from nvd – Published: 2022-05-01 15:25 – Updated: 2025-11-03 19:26
VLAI?
Summary
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
Severity ?
5.3 (Medium)
CWE
- Regular Expression Denial of Service (ReDoS)
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
Credits
Michael Prentice
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:56.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
},
{
"tags": [
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220629-0009/"
},
{
"name": "FEDORA-2022-e016e6f445",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/"
},
{
"name": "FEDORA-2022-edf635cf39",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "next of 1.7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Michael Prentice"
}
],
"datePublic": "2022-05-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: \u0027 \u0027.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitCodeMaturity": "FUNCTIONAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.2,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regular Expression Denial of Service (ReDoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-28T00:00:00.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
},
{
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
},
{
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
},
{
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
},
{
"url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220629-0009/"
},
{
"name": "FEDORA-2022-e016e6f445",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3/"
},
{
"name": "FEDORA-2022-edf635cf39",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO/"
}
],
"title": "Regular Expression Denial of Service (ReDoS)"
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25844",
"datePublished": "2022-05-01T15:25:32.752Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:56.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-7676 (GCVE-0-2020-7676)
Vulnerability from nvd – Published: 2020-06-08 13:34 – Updated: 2024-08-04 09:41
VLAI?
Summary
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.
Severity ?
No CVSS data available.
CWE
- Cross-site Scripting
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | angular.js |
Affected:
All versions prior to 1.8.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:01.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/angular/angular.js/pull/17028%2C"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] vivekratnavel opened a new pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Created] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] dineshchitlangia commented on a change in pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201007 [GitHub] [hadoop-ozone] vivekratnavel commented on pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-commits] 20201008 [hadoop-ozone] branch master updated: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676 (#1481)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201009 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular.js",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"\u003coption\u003e\" elements in \"\u003cselect\u003e\" ones changes parsing behavior, leading to possibly unsanitizing code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-09T15:06:12",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular.js/pull/17028%2C"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] vivekratnavel opened a new pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Created] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] dineshchitlangia commented on a change in pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201007 [GitHub] [hadoop-ozone] vivekratnavel commented on pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-commits] 20201008 [hadoop-ozone] branch master updated: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676 (#1481)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201009 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2020-7676",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "angular.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to 1.8.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"\u003coption\u003e\" elements in \"\u003cselect\u003e\" ones changes parsing behavior, leading to possibly unsanitizing code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/angular/angular.js/pull/17028,",
"refsource": "MISC",
"url": "https://github.com/angular/angular.js/pull/17028,"
},
{
"name": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-570058"
},
{
"name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] vivekratnavel opened a new pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [jira] [Created] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201006 [GitHub] [hadoop-ozone] dineshchitlangia commented on a change in pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201007 [GitHub] [hadoop-ozone] vivekratnavel commented on pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [jira] [Updated] (HDDS-4316) Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-commits] 20201008 [hadoop-ozone] branch master updated: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676 (#1481)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201008 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E"
},
{
"name": "[hadoop-ozone-issues] 20201009 [GitHub] [hadoop-ozone] adoroszlai merged pull request #1481: HDDS-4316. Upgrade to angular 1.8.0 due to CVE-2020-7676",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-7676",
"datePublished": "2020-06-08T13:34:09",
"dateReserved": "2020-01-21T00:00:00",
"dateUpdated": "2024-08-04T09:41:01.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14863 (GCVE-0-2019-14863)
Vulnerability from nvd – Published: 2020-01-02 14:20 – Updated: 2024-08-05 00:26
VLAI?
Summary
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Severity ?
7.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/npm:angular:20150807"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "angular:",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "all angular versions before 1.5.0-beta.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T14:20:50",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/npm:angular:20150807"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14863",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "angular:",
"version": {
"version_data": [
{
"version_value": "all angular versions before 1.5.0-beta.0"
}
]
}
}
]
},
"vendor_name": "Red Hat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "7.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863"
},
{
"name": "https://snyk.io/vuln/npm:angular:20150807",
"refsource": "MISC",
"url": "https://snyk.io/vuln/npm:angular:20150807"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14863",
"datePublished": "2020-01-02T14:20:50",
"dateReserved": "2019-08-10T00:00:00",
"dateUpdated": "2024-08-05T00:26:39.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}