Source: angular.js X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for angular.js. CVE-2022-25869[0]: | All versions of package angular are vulnerable to Cross-site Scripting | (XSS) due to insecure page caching in the Internet Explorer browser, | which allows interpolation of <textarea> elements. https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781 CVE-2023-26116[1]: | Versions of the package angular from 1.2.21 are vulnerable to Regular | Expression Denial of Service (ReDoS) via the angular.copy() utility | function due to the usage of an insecure regular expression. | Exploiting this vulnerability is possible by a large carefully-crafted | input, which can result in catastrophic backtracking. https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044 CVE-2023-26117[2]: | Versions of the package angular from 1.0.0 are vulnerable to Regular | Expression Denial of Service (ReDoS) via the $resource service due to | the usage of an insecure regular expression. Exploiting this | vulnerability is possible by a large carefully-crafted input, which | can result in catastrophic backtracking. https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045 CVE-2023-26118[3]: | Versions of the package angular from 1.4.9 are vulnerable to Regular | Expression Denial of Service (ReDoS) via the <input type="url"> | element due to the usage of an insecure regular expression in the | input[url] functionality. Exploiting this vulnerability is possible by | a large carefully-crafted input, which can result in catastrophic | backtracking. https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25869 https://www.cve.org/CVERecord?id=CVE-2022-25869 [1] https://security-tracker.debian.org/tracker/CVE-2023-26116 https://www.cve.org/CVERecord?id=CVE-2023-26116 [2] https://security-tracker.debian.org/tracker/CVE-2023-26117 https://www.cve.org/CVERecord?id=CVE-2023-26117 [3] https://security-tracker.debian.org/tracker/CVE-2023-26118 https://www.cve.org/CVERecord?id=CVE-2023-26118 Please adjust the affected versions in the BTS as needed.

