CVE-2022-25869

Cross-Site Scripting
Affects
AngularJS
<=1.8.3
in
AngularJS
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Steps to Reproduce

This Cross-Site Scripting (XSS) exploit is present in all public versions of AngularJS. It is present only with the Internet Explorer browser, which has a bug in its page caching when dealing with textareas. A malicious actor can insert dangerous code that the browser will execute thereby giving access to data or script function (the attacker tricks the application or site into accepting a request as though it was from a trusted source). A proof of concept demonstrating this exploit is available on StackBlitz.

Addressing the Issue

Users of the Internet Explorer browser are vectors of this potential exploit when using all public AngularJS versions. Developers can escape their code (see below) to prevent this sort of attack and should still upgrade to a version of the library with the fix.

Learning and Prevention

In general, XSS exploits are best avoided by escaping content that isn’t from a trusted source. Escaping can be done by libraries that specialize in this function. Using HTML for an example, they will take a < and >  code them as &lt; and &gt;.  Performing this transformation prevents code from being executed in locations where it can cause harm.

Conclusion

HeroDevs clients were notified to upgrade immediately upon the release of version 1.9.0. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.

Resources

NIST 2022-25869 entry

Vulnerability Details
ID
CVE-2022-25869
PROJECT Affected
AngularJS
Versions Affected
<=1.8.3
Published date
July 15, 2022
≈ Fix date
May 1, 2022
Severity
Medium
Category
Cross-Site Scripting