Source: angular.js
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for angular.js.

CVE-2022-25869[0]:
| All versions of package angular are vulnerable to Cross-site Scripting
| (XSS) due to insecure page caching in the Internet Explorer browser,
| which allows interpolation of <textarea> elements.

https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781

CVE-2023-26116[1]:
| Versions of the package angular from 1.2.21 are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the angular.copy() utility
| function due to the usage of an insecure regular expression.
| Exploiting this vulnerability is possible by a large carefully-crafted
| input, which can result in catastrophic backtracking.

https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044

CVE-2023-26117[2]:
| Versions of the package angular from 1.0.0 are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the $resource service due to
| the usage of an insecure regular expression. Exploiting this
| vulnerability is possible by a large carefully-crafted input, which
| can result in catastrophic backtracking.

https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045

CVE-2023-26118[3]:
| Versions of the package angular from 1.4.9 are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the <input type="url">
| element due to the usage of an insecure regular expression in the
| input[url] functionality. Exploiting this vulnerability is possible by
| a large carefully-crafted input, which can result in catastrophic
| backtracking.

https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-25869
    https://www.cve.org/CVERecord?id=CVE-2022-25869
[1] https://security-tracker.debian.org/tracker/CVE-2023-26116
    https://www.cve.org/CVERecord?id=CVE-2023-26116
[2] https://security-tracker.debian.org/tracker/CVE-2023-26117
    https://www.cve.org/CVERecord?id=CVE-2023-26117
[3] https://security-tracker.debian.org/tracker/CVE-2023-26118
    https://www.cve.org/CVERecord?id=CVE-2023-26118

Please adjust the affected versions in the BTS as needed.

Reply via email to