Back

CVE-2024-8372

Sept. 9, 2024, 6:30 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

AngularJS

  • 1.3.0-rc.4 and greater

Source

36c7be3b-2937-45df-85ea-ca7133ea542c

Tags

36c7be3b-2937-45df-85ea-ca7133ea542c
CWE-1289
2024-09-09
CVE-2024-8372

CVE-2024-8372 details

Published : Sept. 9, 2024, 3:15 p.m.
Last Modified : Sept. 9, 2024, 6:30 p.m.

Description

Improper sanitization of the value of the '[srcset]' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

CVSS Score

1 2 3 4.8 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-1289 Improper Validation of Unsafe Equivalence in Input The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

Base Score

4.8

Exploitability Score

2.2

Impact Score

2.5

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References

URL Source
https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017 36c7be3b-2937-45df-85ea-ca7133ea542c
https://www.herodevs.com/vulnerability-directory/cve-2024-8372 36c7be3b-2937-45df-85ea-ca7133ea542c
This website uses the NVD API, but is not approved or certified by it.