{"url":"http://public2.vulnerablecode.io/api/packages/100957?format=json","purl":"pkg:npm/angular@1.6.0-rc.2","type":"npm","namespace":"","name":"angular","version":"1.6.0-rc.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.7.9","latest_non_vulnerable_version":"1.8.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11305?format=json","vulnerability_id":"VCID-3xrn-c2s9-puc4","summary":"Denial of service in $sanitize\nRunning $sanitize on bad HTML can freeze the browser. The problem occurs with clobbered data; typically the \"nextSibling\" property on an element is changed to one of it's child node, this makes it impossible to walk the HTML tree and leads to an infinite loop which freezes the browser.","references":[],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52268?format=json","purl":"pkg:npm/angular@1.6.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7bqm-uvf4-3yad"},{"vulnerability":"VCID-udyf-r4mh-x7cu"},{"vulnerability":"VCID-z2pj-4dxf-3qag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/angular@1.6.3"}],"aliases":["GMS-2017-115"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3xrn-c2s9-puc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11412?format=json","vulnerability_id":"VCID-7bqm-uvf4-3yad","summary":"XSS in $sanitize in Safari/Firefox\nBoth Firefox and Safari are vulnerable to XSS if we use an inert document created via `document.implementation.createHTMLDocument()`.","references":[{"reference_url":"https://github.com/angular/angular.js/blob/master/CHANGELOG.md#165-toffee-salinization-2017-07-03","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/blob/master/CHANGELOG.md#165-toffee-salinization-2017-07-03"},{"reference_url":"https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52576?format=json","purl":"pkg:npm/angular@1.6.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-udyf-r4mh-x7cu"},{"vulnerability":"VCID-z2pj-4dxf-3qag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/angular@1.6.5"}],"aliases":["GMS-2017-134"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7bqm-uvf4-3yad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11289?format=json","vulnerability_id":"VCID-uax8-wmy5-93hz","summary":"Bypass CSP protection\n, AngularJS allows bootstrapping of invalid/bad svg and currentScript if it was clobbered.","references":[{"reference_url":"https://github.com/angular/angular.js/blob/master/CHANGELOG.md#bug-fixes-5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/blob/master/CHANGELOG.md#bug-fixes-5"},{"reference_url":"https://github.com/angular/angular.js/commit/95f964b827b6f5b5aab10af54f7831316c7a9935","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/commit/95f964b827b6f5b5aab10af54f7831316c7a9935"},{"reference_url":"https://github.com/angular/angular.js/commit/c8f78a8ca9debc33a6deaf951f344b8d372bf210","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/commit/c8f78a8ca9debc33a6deaf951f344b8d372bf210"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52268?format=json","purl":"pkg:npm/angular@1.6.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7bqm-uvf4-3yad"},{"vulnerability":"VCID-udyf-r4mh-x7cu"},{"vulnerability":"VCID-z2pj-4dxf-3qag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/angular@1.6.3"}],"aliases":["GMS-2017-110"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uax8-wmy5-93hz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12128?format=json","vulnerability_id":"VCID-udyf-r4mh-x7cu","summary":"Cross Site Scripting\nOn Firefox there is a XSS vulnerability if a malicious attacker can write into the `xml:base` attribute on an SVG anchor.","references":[{"reference_url":"https://github.com/RetireJS/retire.js/commit/ed3512729af76583b28611a4a1b6a8797d7f074c#diff-8b52b7156debed9dd797400ff51e3e15","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/RetireJS/retire.js/commit/ed3512729af76583b28611a4a1b6a8797d7f074c#diff-8b52b7156debed9dd797400ff51e3e15"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53966?format=json","purl":"pkg:npm/angular@1.6.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-z2pj-4dxf-3qag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/angular@1.6.9"}],"aliases":["GMS-2018-9"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-udyf-r4mh-x7cu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13758?format=json","vulnerability_id":"VCID-vxcp-eaa7-nyab","summary":"Cross-Site Scripting via JSONP\nJSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.","references":[{"reference_url":"https://github.com/angular/angular.js/commit/6476af83cd0418c84e034a955b12a842794385c4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/commit/6476af83cd0418c84e034a955b12a842794385c4"},{"reference_url":"https://www.npmjs.com/advisories/1630","reference_id":"","reference_type":"","scores":[],"url":"https://www.npmjs.com/advisories/1630"},{"reference_url":"https://github.com/advisories/GHSA-28hp-fgcr-2r4h","reference_id":"GHSA-28hp-fgcr-2r4h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-28hp-fgcr-2r4h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51897?format=json","purl":"pkg:npm/angular@1.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3xrn-c2s9-puc4"},{"vulnerability":"VCID-7bqm-uvf4-3yad"},{"vulnerability":"VCID-uax8-wmy5-93hz"},{"vulnerability":"VCID-udyf-r4mh-x7cu"},{"vulnerability":"VCID-z2pj-4dxf-3qag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/angular@1.6.0"}],"aliases":["GHSA-28hp-fgcr-2r4h","GMS-2019-114"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vxcp-eaa7-nyab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136893?format=json","vulnerability_id":"VCID-z2pj-4dxf-3qag","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10768","reference_id":"","reference_type":"","scores":[{"value":"0.00411","scoring_system":"epss","scoring_elements":"0.61708","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10768"},{"reference_url":"https://github.com/angular/angular.js","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js"},{"reference_url":"https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3"},{"reference_url":"https://github.com/angular/angular.js/pull/16913","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/angular/angular.js/pull/16913"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[],"url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-ANGULAR-534884","reference_id":"","reference_type":"","scores":[],"url":"https://snyk.io/vuln/SNYK-JS-ANGULAR-534884"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945249","reference_id":"945249","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945249"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10768","reference_id":"CVE-2019-10768","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10768"},{"reference_url":"https://github.com/advisories/GHSA-89mq-4x47-5v83","reference_id":"GHSA-89mq-4x47-5v83","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-89mq-4x47-5v83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74405?format=json","purl":"pkg:npm/angular@1.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/angular@1.7.9"}],"aliases":["CVE-2019-10768","GHSA-89mq-4x47-5v83"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z2pj-4dxf-3qag"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/angular@1.6.0-rc.2"}