All the vulnerabilites related to Google - AngularJS
cve-2024-8372
Vulnerability from cvelistv5
Published
2024-09-09 14:46
Modified
2024-11-22 12:04
Severity ?
EPSS score ?
Summary
Improper sanitization of the value of the '[srcset]' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.herodevs.com/vulnerability-directory/cve-2024-8372 | third-party-advisory | |
| https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017 | technical-description, exploit |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "angular.js",
"vendor": "angularjs",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.3.0-rc.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8372",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:06:37.579433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:07:26.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-22T12:04:51.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.3.0-rc.4",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper sanitization of the value of the \u0027\u003ctt\u003e[srcset]\u003c/tt\u003e\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\"\u003eContent Spoofing\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "Improper sanitization of the value of the \u0027[srcset]\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T14:58:56.291Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS improper sanitization in \u0027srcset\u0027 attribute",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-8372",
"datePublished": "2024-09-09T14:46:03.134Z",
"dateReserved": "2024-09-02T08:44:11.786Z",
"dateUpdated": "2024-11-22T12:04:51.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-8373
Vulnerability from cvelistv5
Published
2024-09-09 14:48
Modified
2024-11-22 12:04
Severity ?
EPSS score ?
Summary
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.herodevs.com/vulnerability-directory/cve-2024-8373 | third-party-advisory | |
| https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b | technical-description, exploit |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "angular.js",
"vendor": "angularjs",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8373",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:04:03.093398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:06:07.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-22T12:04:52.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper sanitization of the value of the \u003ctt\u003e[srcset]\u003c/tt\u003e attribute in \u003ctt\u003e\u0026lt;source\u0026gt;\u003c/tt\u003e HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\"\u003eContent Spoofing\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThis issue affects all versions of AngularJS.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "Improper sanitization of the value of the [srcset] attribute in \u003csource\u003e HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-791",
"description": "CWE-791: Incomplete Filtering of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:16:49.287Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS improper sanitization in \u0027\u003csource\u003e\u0027 element",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-8373",
"datePublished": "2024-09-09T14:48:41.513Z",
"dateReserved": "2024-09-02T08:44:29.571Z",
"dateUpdated": "2024-11-22T12:04:52.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}