Search for packages
| purl | pkg:deb/debian/angular.js@1.8.3-1%2Bdeb12u1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1x1p-ye9j-rug4 | Improper sanitization of the value of the `[srcset]` attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . |
CVE-2024-8372
GHSA-m9gf-397r-hwpg |
| VCID-3mrw-2h7j-zfdv | Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes A **Stored Cross-Site Scripting ([XSS](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss))** vulnerability has been identified in the **Angular Template Compiler**. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain [`javascript:` URLs](https://developer.mozilla.org/en-US/Web/URI/Reference/Schemes/javascript)) as requiring strict URL security, enabling the injection of malicious scripts. Additionally, a related vulnerability exists involving SVG animation elements (`<animate>`, `<set>`, `<animateMotion>`, `<animateTransform>`). The `attributeName` attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like `href` or `xlink:href` on other elements. By binding `attributeName` to "href" and providing a `javascript:` URL in the `values` or `to` attribute, an attacker could bypass sanitization and execute arbitrary code. Attributes confirmed to be vulnerable include: * SVG-related attributes: (e.g., `xlink:href`), and various MathML attributes (e.g., `math|href`, `annotation|href`). * SVG animation `attributeName` attribute when bound to "href" or "xlink:href". When template binding is used to assign untrusted, user-controlled data to these attributes (e.g., `[attr.xlink:href]="maliciousURL"` or `<animate [attributeName]="'href'" [values]="maliciousURL">`), the compiler incorrectly falls back to a non-sanitizing context or fails to block the dangerous attribute assignment. This allows an attacker to inject a `javascript:URL` payload. Upon user interaction (like a click) on the element, or automatically in the case of animations, the malicious JavaScript executes in the context of the application's origin. |
CVE-2025-66412
GHSA-v4hv-rgfq-gp49 |
| VCID-6map-62jp-tkgu | angular vulnerable to regular expression denial of service via the $resource service All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. |
CVE-2023-26117
GHSA-2qqx-w9hr-q5gx |
| VCID-8juz-913g-zfdb | angular vulnerable to super-linear runtime due to backtracking This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core). |
CVE-2024-21490
GHSA-4w4v-5hc9-xrr2 |
| VCID-cfxn-m6af-2kb8 | Improper sanitization of the value of the `[srcset]` attribute in `<source>` HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . |
CVE-2024-8373
GHSA-mqm9-c95h-x2p6 |
| VCID-cpwp-gasq-kffz | angular vulnerable to regular expression denial of service via the <input type="url"> element All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. |
CVE-2023-26118
GHSA-qwqh-hm9m-p5hr |
| VCID-ex2m-smbh-3kgy | AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes Versions of `angular` prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize `xlink:href` attributes, which may allow attackers to execute arbitrary JavaScript in a victim's browser if the value is user-controlled. ## Recommendation Upgrade to version 1.5.0-beta.1 or later. |
CVE-2019-14863
GHSA-r5fx-8r73-v86c |
| VCID-ms76-c5dn-23hx | Angular has XSS Vulnerability via Unsanitized SVG Script Attributes A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the `href` and `xlink:href` attributes of SVG `<script>` elements as a **Resource URL** context. In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections. When template binding is used to assign user-controlled data to these attributes for example, `<script [attr.href]="userInput">` the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a `data:text/javascript` URI or a link to an external malicious script. ### Impact When successfully exploited, this vulnerability allows for **arbitrary JavaScript execution** within the context of the victim's browser session. This can lead to: - **Session Hijacking:** Stealing session cookies, localStorage data, or authentication tokens. - **Data Exfiltration:** Accessing and transmitting sensitive information displayed within the application. - **Unauthorized Actions:** Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user. ### Attack Preconditions 1. The victim application must explicitly use SVG `<script>` elements within its templates. 2. The application must use property or attribute binding (interpolation) for the `href` or `xlink:href` attributes of those SVG scripts. 3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses). ### Patches - 19.2.18 - 20.3.16 - 21.0.7 - 21.1.0-rc.0 ### Workarounds Until the patch is applied, developers should: - **Avoid Dynamic Bindings**: Do not use Angular template binding (e.g., `[attr.href]`) for SVG `<script>` elements. - **Input Validation**: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template. ### Resources - https://github.com/angular/angular/pull/66318 |
CVE-2026-22610
GHSA-jrmj-c5cx-3cw6 |
| VCID-njvf-2y8u-5kfw | AngularJS improperly sanitizes SVG elements Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . |
CVE-2025-0716
GHSA-j58c-ww9w-pwp5 |
| VCID-qwfu-v1x6-e3ep | angular vulnerable to regular expression denial of service via the angular.copy() utility All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. |
CVE-2023-26116
GHSA-2vrf-hf26-jrp5 |
| VCID-rvrc-5q4c-63bh | Angular vulnerable to Cross-site Scripting angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping `<option>` elements in `<select>` ones changes parsing behavior, leading to possibly unsanitizing code. |
CVE-2020-7676
GHSA-mhp6-pxh8-r675 |
| VCID-s1yh-7m2a-y3g3 | AngularJS Incomplete Filtering of Special Elements vulnerability Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images. This issue affects AngularJS versions greater than or equal to 1.3.1. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . |
CVE-2025-2336
GHSA-4p4w-6hg8-63wx |
| VCID-tgyd-qy7s-kkew | angular vulnerable to regular expression denial of service (ReDoS) AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1. This package has been deprecated and is no longer maintained. 2. The vulnerable versions are 1.7.0 and higher. |
CVE-2022-25844
GHSA-m2h2-264f-f486 |
| VCID-x8wa-kpm3-abh9 | Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header. |
CVE-2025-66035
GHSA-58c5-g7wp-6w37 |
| VCID-xd5a-s1n3-bkhg | angular Prototype Pollution vulnerability Versions of `angular ` prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function `merge()` does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects. ## Recommendation Upgrade to version 1.7.9 or later. The function was already deprecated and upgrades are not expected to break functionality. |
CVE-2019-10768
GHSA-89mq-4x47-5v83 |