Angular up to 11.0.4/11.1.0-next.2 on npm Application cross site scripting

Overview

A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2 on npm (JavaScript Library). It has been classified as problematic. Affected is an unknown function of the component Application Handler. Upgrading to version 11.0.5 or 11.1.0-next.3 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com.

Affected Product:

  • Type: JavaScript Library
  • Name: Angular

The manipulation with an unknown input leads to a cross site scripting vulnerability. . This is going to have an impact on integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

The exploitability is told to be difficult. It is possible to launch the attack remotely. The successful exploitation requires a authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Exploiting

Class Cross site scripting
CWE CWE-79
ATT&CK T1059.007
Remote Access Yes
Upgrade: Angular 11.0.5/11.1.0-next.3
Patch: Github.com
Availability Impact: High
Base Score: 2.6
Temp Score: 2.5

Mitigation

Upgrade to the latest version.

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2025-23208 : ZOT UP TO 2.1.1 API SETUSERGROUPS PRIVILEGES MANAGEMENT

CVE-2025-23208 : ZOT UP TO 2.1.1 API SETUSERGROUPS PRIVILEGES MANAGEMENT

Description zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db)

CVE-2024-12867 : ARCTIC SECURITY ARCTIC HUB UP TO 5.5.1872 CONFIGURATION SERVER-SIDE REQUEST FORGERY

CVE-2024-12867 : ARCTIC SECURITY ARCTIC HUB UP TO 5.5.1872 CONFIGURATION SERVER-SIDE REQUEST FORGERY

Description Server-Side Request Forgery in URL Mapper in Arctic Security’s Arctic Hub versions 3.0.1764-5.6.1877 allows an unauthenticated remote attacker to

CVE-2024-12840 : RED HAT SATELLITE HTTP PROXY SERVER-SIDE REQUEST FORGERY

CVE-2024-12840 : RED HAT SATELLITE HTTP PROXY SERVER-SIDE REQUEST FORGERY

Description A server-side request forgery exists in Satellite. When a PUT HTTP request is made to /http_proxies/test_connection, when supplied with