CVE
CVE-2019-10768
| CVE ID |
CVE-2019-10768
|
|---|---|
| CVSS Score |
7.5
|
| Operating System | |
| Affected Versions | |
| Patched Versions |
1.5.14
|
| Patch Date |
|
| Last Updated Date | |
| Vector String |
Additional Information
NVD LIsting : NVD - CVE-2019-10768
Fixes
- merge(): Addressed an issue where the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload (CVE-2019-10768).
- textarea: Addressed an issue where, in Internet Explorer (IE), value interpolation was omitted in <textarea> elements when using the browser back/forward functionality. For details, see CVE-2022-25869 and SNYK-JS-ANGULAR-2949781.
- JQLite: Addressed an issue that prevented possible Cross-site Scripting (XSS) due to regex-based HTML replacement. For details, see SNYK-JS-ANGULAR-572020.
- $sanitize: Addressed an issue that prevented clobbered elements from freezing the browser. For details, see SNYK-JS-ANGULAR-471885.
- $sanitize: Improved $sanitize to use appropriate inert document strategy for Firefox and Safari. If needed, use a DOMParser or XHR strategy to address XSS vulnerability. For details, see SNYK-JS-ANGULAR-471882.
- sanitizeUri: Fixed Cross-site Scripting (XSS) by sanitizing URIs that contain IDEOGRAPHIC SPACE chars. For details, see SNYK npm:angular:20171018.