Overview
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2 on npm (JavaScript Library). It has been classified as problematic. Affected is an unknown function of the component Application Handler. Upgrading to version 11.0.5 or 11.1.0-next.3 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com.
Affected Product:
- Type: JavaScript Library
- Name: Angular
The manipulation with an unknown input leads to a cross site scripting vulnerability. . This is going to have an impact on integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
The exploitability is told to be difficult. It is possible to launch the attack remotely. The successful exploitation requires a authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.
Exploiting
| Class | Cross site scripting |
| CWE: | CWE-79 |
| ATT&CK: | T1059.007 |
| Remote Access: | Yes |
| Upgrade: | Angular 11.0.5/11.1.0-next.3 |
| Patch: | Github.com |
| Availability Impact: | High |
| Base Score: | 2.6 |
| Temp Score: | 2.5 |
Mitigation
Upgrade to the latest version.
