Lucene search

GoogleOSV:GHSA-C75V-2VQ8-878F

HistoryMay 27, 2022 - 12:01 a.m.

Cross site scripting in Angular

2022-05-2700:01:08

Google

osv.dev

5.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.0%

JSON

A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 10.2.5, 11.0.5 or 11.1.0-next.3 is advised to to address this issue.

CPENameOperatorVersion
@angular/corelt11.0.5
@angular/corelt11.1.0-next.3
@angular/corelt10.2.5
@angular/corege11.1.0-next.0
@angular/corege11.0.0

Name	Operator	Version
@angular/core	lt	11.0.5
@angular/core	lt	11.1.0-next.3
@angular/core	lt	10.2.5
@angular/core	ge	11.1.0-next.0
@angular/core	ge	11.0.0

References

github.com/angular/angular

github.com/angular/angular/commit/0aa220bc0000fc4d1651ec388975bbf5baa1da36

github.com/angular/angular/commit/47d9b6d72dab9d60c96bc1c3604219f6385649ea

github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09

github.com/angular/angular/issues/40136

nvd.nist.gov/vuln/detail/CVE-2021-4231

security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902

vuldb.com/?id.181356