Search for packages
| purl | pkg:npm/angular@1.3.3 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-55sp-gp98-23gr
Aliases: GMS-2017-134 |
XSS in $sanitize in Safari/Firefox Both Firefox and Safari are vulnerable to XSS if we use an inert document created via `document.implementation.createHTMLDocument()`. |
Affected by 11 other vulnerabilities. |
|
VCID-5zzk-7d69-s7hn
Aliases: CVE-2023-26118 GHSA-qwqh-hm9m-p5hr |
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. | There are no reported fixed by versions. |
|
VCID-67hr-2fv8-ykcj
Aliases: CVE-2019-10768 GHSA-89mq-4x47-5v83 |
angular Prototype Pollution vulnerability |
Affected by 10 other vulnerabilities. |
|
VCID-758x-qqp7-2qah
Aliases: CVE-2024-21490 GHSA-4w4v-5hc9-xrr2 |
There are no reported fixed by versions. | |
|
VCID-8nch-3tex-67dc
Aliases: CVE-2020-7676 GHSA-mhp6-pxh8-r675 |
Angular vulnerable to Cross-site Scripting |
Affected by 9 other vulnerabilities. |
|
VCID-cy2q-mtff-5kg4
Aliases: CVE-2024-8373 GHSA-mqm9-c95h-x2p6 |
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | There are no reported fixed by versions. |
|
VCID-erfv-zy2t-hfhz
Aliases: CVE-2024-8372 GHSA-m9gf-397r-hwpg |
Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | There are no reported fixed by versions. |
|
VCID-g6uy-ey69-93b8
Aliases: CVE-2022-25869 GHSA-prc3-vjfx-vhm9 |
All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. | There are no reported fixed by versions. |
|
VCID-gn5u-gf3m-f3c1
Aliases: CVE-2023-26116 GHSA-2vrf-hf26-jrp5 |
There are no reported fixed by versions. | |
|
VCID-knpg-smez-63bc
Aliases: GMS-2017-110 |
Bypass CSP protection , AngularJS allows bootstrapping of invalid/bad svg and currentScript if it was clobbered. |
Affected by 12 other vulnerabilities. |
|
VCID-n4ww-dxd4-2udn
Aliases: GMS-2018-9 |
Cross Site Scripting On Firefox there is a XSS vulnerability if a malicious attacker can write into the `xml:base` attribute on an SVG anchor. |
Affected by 10 other vulnerabilities. |
|
VCID-p1jd-7g5e-cba6
Aliases: GMS-2017-115 |
Denial of service in $sanitize Running $sanitize on bad HTML can freeze the browser. The problem occurs with clobbered data; typically the "nextSibling" property on an element is changed to one of it's child node, this makes it impossible to walk the HTML tree and leads to an infinite loop which freezes the browser. |
Affected by 12 other vulnerabilities. |
|
VCID-p225-18fx-d7gr
Aliases: CVE-2025-0716 GHSA-j58c-ww9w-pwp5 |
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing  and also negatively affect the application's performance and behavior by using too large or slow-to-load images. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | There are no reported fixed by versions. |
|
VCID-sjvs-aer9-h3fx
Aliases: CVE-2023-26117 GHSA-2qqx-w9hr-q5gx |
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. | There are no reported fixed by versions. |
|
VCID-ssaf-wq66-cubj
Aliases: CVE-2019-14863 GHSA-r5fx-8r73-v86c |
AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-xp29-gqf1-hyg6
Aliases: GMS-2016-73 |
Bypass CSP protection Extension URIs (`resource://...`) bypass ````Content-Security-Policy```` in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacked can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection. |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-ybnx-xvb3-wkga
Aliases: GHSA-28hp-fgcr-2r4h GMS-2019-114 |
Cross-Site Scripting via JSONP |
Affected by 14 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||