CVE
CWE-79
| CVE ID |
CWE-79
|
|---|---|
| CVSS Score |
6.5
|
| Operating System | |
| Affected Versions |
<1.6.0-rc.0
|
| Patched Versions |
1.5.15
|
| Patch Date |
|
| Last Updated Date | |
| Vector String |
Additional Information
Snyk Listing:- Cross-site Scripting (XSS) in angular | Snyk
Bug Fixes
- $http: Fixed Cross-Site Scripting vulnerability (XSS). The $http service allowed JSONP requests with untrusted URLs which could be exploited by an attacker.
Use $sce.trustAsResourceUrl to handle JSONP sensitive operations. Ensure that the URL satisfies SCE.RESOURCE_URL. For more details, see SNYK-JS-ANGULAR-471879. - svg: Fixed Cross-Site Scripting vulnerability (XSS) through SVG files if enableSvg is set. For more details, see npm:angular:20180202.
- $http: Fixed Cross-Site Scripting vulnerability (XSS). The $http service allowed JSON_CALLBACK placeholders which could be exploited by an attacker.
Specify the JSONP callback using the jsonpCallbackParam config. For more details, see npm:angular:20150315.