An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template ex…

CVSS: 4.6 · CWE: CWE-1336

View on NVD

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security…

CVSS: 6.1 · CWE: CWE-22

View on NVD

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.

CVSS: 10.0 · CWE: CWE-95

View on NVD

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\ev…

CVSS: 5.3 · CWE: CWE-918

View on NVD

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in `@angular/ssr` due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes (e.g., `///`), the internal validat…

CVSS: 6.1 · CWE: CWE-601

View on NVD

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together w…

CVSS: 9.0 · CWE: CWE-79

View on NVD

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and…

CVSS: 6.1 · CWE: CWE-79

View on NVD

The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X…

CVSS: 9.2 · CWE: CWE-918

View on NVD

The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. W…

CVSS: 6.9 · CWE: CWE-601

View on NVD

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink…

CVSS: 6.1 · CWE: CWE-79

View on NVD

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in sec…

CVSS: 5.4 · CWE: CWE-79

View on NVD

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) to…

CVSS: 7.7 · CWE: CWE-201

View on NVD

A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

CVSS: 5.4 · CWE: CWE-79

View on NVD

The Angular SSR is a server-rise rendering tool for Angular applications. The vulnerability is a Server-Side Request Forgery (SSRF) flaw within the URL resolution mechanism of Angular's Server-Side Rendering package (@angular/ssr) before 19.2.18, 20.3.6, and 21.0.0-next.8. The function createRequestUrl uses the native URL constructor. When an incoming request path (e.g., originalUrl or url) begin…

CVSS: 8.7 · CWE: CWE-918

View on NVD

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they…

CVSS: 7.1 · CWE: CWE-362

View on NVD

A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to th…

CVSS: 6.1 · CWE: CWE-79

View on NVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tauhidul Alam Advanced Angular Contact Form advanced-angular-contact-form allows Reflected XSS.This issue affects Advanced Angular Contact Form: from n/a through <= 1.1.0.

CVSS: 7.1 · CWE: CWE-79

View on NVD

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular…

CVSS: 9.3 · CWE: CWE-94

View on NVD

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings

CVSS: 4.6 · CWE: CWE-79

View on NVD

angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This…

CVSS: 9.8 · CWE: CWE-434

View on NVD

kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely exploit this vulnerability without authentication by providing specially crafted input that causes the application to consume an excessive amount of CPU resources. This vulnerability affects the latest…

CVSS: 7.5 · CWE: CWE-1333

View on NVD

angular-translate through 2.19.1 allows XSS via a crafted key that is used by the translate directive. NOTE: the vendor indicates that there is no documentation indicating that a key is supposed to be safe against XSS attacks.

CVSS: 6.1 · CWE: CWE-79

View on NVD

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users sho…

CVSS: 7.5 · CWE: CWE-1333

View on NVD

vantage6-UI is the User Interface for vantage6. The docker image used to run the UI leaks the nginx version. To mitigate the vulnerability, users can run the UI as an angular application. This vulnerability was patched in 4.2.0.

CVSS: 3.3 · CWE: CWE-200

View on NVD

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could allow a remote attacker to execute arbitrary code on the system, caused by an angular template injection flaw. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 248119.

CVSS: 6.5 · CWE: CWE-79

View on NVD

Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instr…

CVSS: 6.7 · CWE: CWE-79

View on NVD

angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability.

CVSS: 6.1 · CWE: CWE-79

View on NVD

Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

CVSS: 5.3 · CWE: CWE-1333

View on NVD

Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

CVSS: 5.3 · CWE: CWE-1333

View on NVD

Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.

CVSS: 5.3 · CWE: CWE-1333

View on NVD

angular-server-side-configuration helps configure an angular application at runtime on the server or in a docker container via environment variables. angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI project. The detected environment variables are written to a ngssc.json file in the output directory. During deploymen…

CVSS: 9.9 · CWE: CWE-200

View on NVD

textAngular is a text editor for Angular.js. Version 1.5.16 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. There are no known patches.

CVSS: 6.1 · CWE: CWE-79

View on NVD

A vulnerability was found in gperson angular-test-reporter and classified as critical. This issue affects the function getProjectTables/addTest of the file rest-server/data-server.js. The manipulation leads to sql injection. The patch is named a29d8ae121b46ebfa96a55a9106466ab2ef166ae. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-2177…

CVSS: 5.5 · CWE: CWE-89

View on NVD

All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of elements.</p> <p><strong>CVSS:</strong> 4.2 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25869">View on NVD</a></p> ]]> </description> </item> <item> <title>[Low] CVE-2021-4231 – A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been cla...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2021-4231</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2021-4231</guid> <pubDate>Thu, 26 May 2022 14:15:07 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk low">Low</span> CVE-2021-4231</strong></p> <p>A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8…</p> <p><strong>CVSS:</strong> 3.5 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-4231">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2022-25844 – The package angular after 1.7.0 are vulnerable to Regular Expression Denial of S...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2022-25844</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2022-25844</guid> <pubDate>Sun, 01 May 2022 16:15:08 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2022-25844</strong></p> <p>The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.</p> <p><strong>CVSS:</strong> 5.3 · <strong>CWE:</strong> CWE-1333</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25844">View on NVD</a></p> ]]> </description> </item> <item> <title>[High] CVE-2021-21277 – angular-expressions is "angular's nicest part extracted as a standalone module f...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2021-21277</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2021-21277</guid> <pubDate>Mon, 01 Feb 2021 15:15:13 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk high">High</span> CVE-2021-21277</strong></p> <p>angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compile(userControlledInput)" where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex…</p> <p><strong>CVSS:</strong> 8.5 · <strong>CWE:</strong> CWE-74</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-21277">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2020-7676 – angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTM...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2020-7676</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2020-7676</guid> <pubDate>Mon, 08 Jun 2020 14:15:13 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2020-7676</strong></p> <p>angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.</p> <p><strong>CVSS:</strong> 5.4 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-7676">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2020-6200 – The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulne...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2020-6200</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2020-6200</guid> <pubDate>Tue, 10 Mar 2020 21:15:14 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2020-6200</strong></p> <p>The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework.</p> <p><strong>CVSS:</strong> 5.4 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-6200">View on NVD</a></p> ]]> </description> </item> <item> <title>[High] CVE-2020-5219 – Angular Expressions before version 1.0.1 has a remote code execution vulnerabili...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2020-5219</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2020-5219</guid> <pubDate>Fri, 24 Jan 2020 16:15:11 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk high">High</span> CVE-2020-5219</strong></p> <p>Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the s…</p> <p><strong>CVSS:</strong> 8.7 · <strong>CWE:</strong> CWE-74</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-5219">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2019-17127 – A Stored Client Side Template Injection (CSTI) with Angular was discovered in th...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2019-17127</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2019-17127</guid> <pubDate>Fri, 17 Jan 2020 18:15:13 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2019-17127</strong></p> <p>A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege escalation.</p> <p><strong>CVSS:</strong> 6.1 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-17127">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2019-17125 – A Reflected Client Side Template Injection (CSTI) with Angular was discovered in...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2019-17125</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2019-17125</guid> <pubDate>Fri, 17 Jan 2020 18:15:13 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2019-17125</strong></p> <p>A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.</p> <p><strong>CVSS:</strong> 6.1 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-17125">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2019-14863 – There is a vulnerability in all angular versions before 1.5.0-beta.0, where afte...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2019-14863</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2019-14863</guid> <pubDate>Thu, 02 Jan 2020 15:15:12 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2019-14863</strong></p> <p>There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.</p> <p><strong>CVSS:</strong> 6.1 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-14863">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2018-13339 – Imperavi Redactor 3 in Angular Redactor 1.1.6, when HTML content mode is used, a...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2018-13339</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2018-13339</guid> <pubDate>Thu, 05 Jul 2018 22:29:00 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2018-13339</strong></p> <p>Imperavi Redactor 3 in Angular Redactor 1.1.6, when HTML content mode is used, allows stored XSS, as demonstrated by an onerror attribute of an IMG element, a related issue to CVE-2018-7035.</p> <p><strong>CVSS:</strong> 6.1 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13339">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2018-11537 – Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular exp...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2018-11537</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2018-11537</guid> <pubDate>Tue, 19 Jun 2018 19:29:00 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2018-11537</strong></p> <p>Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.</p> <p><strong>CVSS:</strong> 6.5 · <strong>CWE:</strong> CWE-20</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-11537">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2018-3713 – angular-http-server node module suffers from a Path Traversal vulnerability due ...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2018-3713</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2018-3713</guid> <pubDate>Thu, 07 Jun 2018 02:29:07 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2018-3713</strong></p> <p>angular-http-server node module suffers from a Path Traversal vulnerability due to lack of validation of possibleFilename, which allows a malicious user to read content of any file with known path.</p> <p><strong>CVSS:</strong> 6.5 · <strong>CWE:</strong> CWE-22</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-3713">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2017-16009 – ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2017-16009</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2017-16009</guid> <pubDate>Mon, 04 Jun 2018 19:29:00 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2017-16009</strong></p> <p>ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid.</p> <p><strong>CVSS:</strong> 6.1 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-16009">View on NVD</a></p> ]]> </description> </item> <item> <title>[High] CVE-2016-10524 – i18n-node-angular is a module used to interact between i18n and angular without ...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2016-10524</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2016-10524</guid> <pubDate>Thu, 31 May 2018 20:29:00 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk high">High</span> CVE-2016-10524</strong></p> <p>i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of Service or content injection.</p> <p><strong>CVSS:</strong> 8.2 · <strong>CWE:</strong> CWE-400</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-10524">View on NVD</a></p> ]]> </description> </item> <item> <title>[Medium] CVE-2017-12677 – IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Angular expre...</title> <link>https://nvd.nist.gov/vuln/detail/CVE-2017-12677</link> <guid isPermaLink="true">https://nvd.nist.gov/vuln/detail/CVE-2017-12677</guid> <pubDate>Tue, 08 Aug 2017 01:34:00 +0000</pubDate> <description> <![CDATA[ <p><strong><span class="badge risk medium">Medium</span> CVE-2017-12677</strong></p> <p>IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Angular expression on the authorize response page, which might allow remote attackers to obtain sensitive information about the IdentityServer authorization response.</p> <p><strong>CVSS:</strong> 6.1 · <strong>CWE:</strong> CWE-79</p> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12677">View on NVD</a></p> ]]> </description> </item> </channel> </rss>