• Hardened Linux Images: What’s New

    Get details, release notes, and CIS benchmark information for OpenLogic’s hardened Linux images for VMs and containers.

  • CVE-2019-10768

    NVD LIsting : NVD - CVE-2019-10768

    Fixes

    • merge(): Addressed an issue where the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload (CVE-2019-10768). 
    • textarea: Addressed an issue where, in Internet Explorer (IE), value interpolation was omitted in <textarea> elements when using the browser back/forward functionality. For details, see CVE-2022-25869 and SNYK-JS-ANGULAR-2949781.  
    • JQLite: Addressed an issue that prevented possible Cross-site Scripting (XSS) due to regex-based HTML replacement. For details, see SNYK-JS-ANGULAR-572020
    • $sanitize: Addressed an issue that prevented clobbered elements from freezing the browser. For details, see SNYK-JS-ANGULAR-471885
    • $sanitize: Improved $sanitize to use appropriate inert document strategy for Firefox and Safari. If needed, use a DOMParser or XHR strategy to address XSS vulnerability. For details, see SNYK-JS-ANGULAR-471882
    • sanitizeUri: Fixed Cross-site Scripting (XSS) by sanitizing URIs that contain IDEOGRAPHIC SPACE chars. For details, see SNYK npm:angular:20171018
    CVE-2019-10768
    AngularJS
    1.5.14
    angular
    7.5

  • CVE-2025-4690

    NVD Listing: NVD - CVE-2025-4690

    Bug Fixes 

    • ngSanitize: Fixed a Regular Expression Denial of Service (ReDoS) vulnerability in the linky filter’s URL-matching regex. The previous pattern could exhibit super-linear runtime due to catastrophic backtracking, allowing malicious input to hang the application. The updated implementation uses a hardened regex that prevents backtracking while preserving correct URL and email detection. For more details, see CVE-2025-4690
    CVE-2025-4690
    AngularJS
    1.5.17
    ngSanitize
    4.3

  • CVE-2025-4690

    NVD Listing: NVD - CVE-2025-4690

    Bug Fixes 

    • ngSanitize: Fixed a Regular Expression Denial of Service (ReDoS) vulnerability in the linky filter’s URL-matching regex. The previous pattern could exhibit super-linear runtime due to catastrophic backtracking, allowing malicious input to hang the application. The updated implementation uses a hardened regex that prevents backtracking while preserving correct URL and email detection. For more details, see CVE-2025-4690

     

    CVE-2025-4690
    AngularJS
    1.8.11
    ngSanitize
    4.3

  • CVE-2025-2336

    NVD Listing::- NVD - CVE-2025-2336

    Bug Fixes 

    • ngSanitize: AngularJS SVG image content spoofing vulnerability allows attackers to bypass common image source restrictions normally applied to image elements. URI attributes on SVG <image> tags (href, xlink:href, ng-href) are now properly sanitized. For more details, see CVE-2025-2336
    CVE-2025-2336
    AngularJS
    1.8.10
    ngSanitize
    4.3

  • CVE-2025-2336

    NVD Listing :- NVD - CVE-2025-2336

    Bug Fixes 

    • ngSanitize: AngularJS SVG image content spoofing vulnerability allows attackers to bypass common image source restrictions normally applied to image elements. URI attributes on SVG <image> tags (href, xlink:href, ng-href) are now properly sanitized. For more details, see CVE-2025-2336
    CVE-2025-2336
    AngularJS
    1.5.16
    ngSanitize
    4.8

  • CVE-2025-2336

    NVD Listing :- NVD - CVE-2025-2336

    Bug Fixes 

    • ngSanitize: AngularJS SVG image content spoofing vulnerability allows attackers to bypass common image source restrictions normally applied to image elements. URI attributes on SVG <image> tags (href, xlink:href, ng-href) are now properly sanitized. For more details, see CVE-2025-2336

     

    CVE-2025-2336
    AngularJS
    1.6.17
    ngSanitize
    4.8

  • CVE-2023-26117

    NVD Listing: NVD - CVE-2023-26117

    Bug Fixes 

    • ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitize image URLs set by $compileProvider.imgSrcSanitizationWhitelist(). 
      This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-attr-srcset Angular attributes. 
      This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
    • ng-srcset: Addresses a ReDoS vulnerability in the ng-srcset directive. 
      This update enhances the performance of the ng-srcset directive and mitigates a high-severity risk associated with ReDoS (CVE-2024-21490).
    • angular.copy(): Fixes a ReDoS issue in angular.copy() 
      This fix corrected the logic for copying RegExp in angular.copy and solved a high severity threat related to ReDoS (CVE-2023-26116)
    • $resource: Fixes ReDoS issue with URLs that have trailing slashes 
      Addresses the ReDoS high severity vulnerability (CVE-2023-26117). This fix resolved the trailing slashes issue in $resource.
    • input[url]: Fixed ReDoS issue in input URL 
      This fix addressed a high severity threat related to ReDoS and improves performance in URL_REGEXP (CVE-2023-26118)
    • $sniffer: Updated sniffer logic to detect Firefox browser based on Modern Firefox user agent strings that include the substring like "Gecko" and sometimes "webkit" for compatibility. Earlier it used to return true even for webkit based browsers.
    • SVG image elements: Addresses a Content Spoofing vulnerability related to SVG image elements. 
      This patch addresses the CVE-2025-0716 vulnerability, where attackers could bypass common image source restrictions through improper sanitization of the 'href' and 'xlink:href' attributes in '' SVG elements. 

     

    CVE-2023-26117
    AngularJS
    1.5.13
    $resource
    5.3

  • CVE-2024-21490

    NVD Listing:- NVD - CVE-2024-21490

    ug Fixes 

    • ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitize image URLs set by $compileProvider.imgSrcSanitizationWhitelist(). 
      This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-attr-srcset Angular attributes. 
      This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute. 
    • ng-srcset: Addresses a ReDoS vulnerability in the ng-srcset directive. 
      This update enhances the performance of the ng-srcset directive and mitigates a high-severity risk associated with ReDoS (CVE-2024-21490). 
    • angular.copy(): Fixes a ReDoS issue in angular.copy() 
      This fix corrected the logic for copying RegExp in angular.copy and solved a high severity threat related to ReDoS (CVE-2023-26116
    • $resource: Fixes ReDoS issue with URLs that have trailing slashes 
      Addresses the ReDoS high severity vulnerability (CVE-2023-26117). This fix resolved the trailing slashes issue in $resource. 
    • input[url]: Fixed ReDoS issue in input URL 
      This fix addressed a high severity threat related to ReDoS and improves performance in URL_REGEXP (CVE-2023-26118
    • $sniffer: Updated sniffer logic to detect Firefox browser based on Modern Firefox user agent strings that include the substring like "Gecko" and sometimes "webkit" for compatibility. Earlier it used to return true even for webkit based browsers. 
    • SVG image elements: Addresses a Content Spoofing vulnerability related to SVG image elements. 
      This patch addresses the CVE-2025-0716 vulnerability, where attackers could bypass common image source restrictions through improper sanitization of the 'href' and 'xlink:href' attributes in '' SVG elements. 

     

    CVE-2024-21490
    AngularJS
    1.5.13
    ReDoS
    7.5

  • CVE-2023-26118

    NVD Listing: NVD - CVE-2023-26118

    Bug Fixes 

    • ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitize image URLs set by $compileProvider.imgSrcSanitizationWhitelist(). 
      This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-attr-srcset Angular attributes. 
      This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
    • ng-srcset: Addresses a ReDoS vulnerability in the ng-srcset directive. 
      This update enhances the performance of the ng-srcset directive and mitigates a high-severity risk associated with ReDoS (CVE-2024-21490).
    • angular.copy(): Fixes a ReDoS issue in angular.copy() 
      This fix corrected the logic for copying RegExp in angular.copy and solved a high severity threat related to ReDoS (CVE-2023-26116)
    • $resource: Fixes ReDoS issue with URLs that have trailing slashes 
      Addresses the ReDoS high severity vulnerability (CVE-2023-26117). This fix resolved the trailing slashes issue in $resource.
    • input[url]: Fixed ReDoS issue in input URL 
      This fix addressed a high severity threat related to ReDoS and improves performance in URL_REGEXP (CVE-2023-26118)
    • $sniffer: Updated sniffer logic to detect Firefox browser based on Modern Firefox user agent strings that include the substring like "Gecko" and sometimes "webkit" for compatibility. Earlier it used to return true even for webkit based browsers.
    • SVG image elements: Addresses a Content Spoofing vulnerability related to SVG image elements. 
      This patch addresses the CVE-2025-0716 vulnerability, where attackers could bypass common image source restrictions through improper sanitization of the 'href' and 'xlink:href' attributes in '' SVG elements. 
    CVE-2023-26118
    AngularJS
    1.5.13
    angular
    5.3