CVE-2019-14863

A cross-site scripting XSS flaw was found in Angular. This flaw occurs due to improper sanitation of xlink:href attributes, which allows the web application to deliver data to users, along with other trusted content, without proper validation...

Project iKy v2.0.0 - Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface

Project iKy is a tool that collects information from an email and shows results in a nice visual interface. Visit the Gitlab Page of the Project Project First of all we want to advice you that we have changed the Frontend from AngularJS to Angular 7. For this reason we left the project with...

EA Origin Template Injection Remote Code Execution

Exploit Title: EA Origin 10.5.36 Template Injection Remote Code Execution Date: 04/19/2019 Exploit Author: Dominik Penner @zer0pwn Vendor Homepage: https://www.origin.com Software Link: https://www.origin.com/can/en-us/store/download Version: 10.5.36 and below Tested on: Windows 10 CVE :...

@amitport/useful (>=0.5.0 <=0.5.2), @bb-cli/bb-test-plugin-ngmock (=1.5.8) +687 more potentially affected by unknown CVE via angular (>=0.0.1 <=1.5.9)

angular NPM version =0.0.1, =0.5.0, =0.2.7, =1.0.21, =0.2.1, =1.10.5, =0.2.0, =0.2.0-dev, =1.2.6, =0.3.2, =1.0.0, =1.0.0, =3.0.2, =4.5.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-28HP-FGCR-2R4H...

Project iKy - Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface

Project iKy is a tool that collects information from an email and shows results in a nice visual interface. Visit the Gitlab Page of the Project Project First of all we want to advice you that we have changed the Frontend from AngularJS to Angular 7. For this reason we left the project with...

New Relic: CSTI fix (#587829) bypass leading to stored XSS at plugins again

@skavans discovered a workaround for previous XSS mitigations. This led to a more robust approach to filtering dangerous content in Angular templates...

Malicious Package

Overview Version 0.0.3 of angular-location-update contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your...

Malicious Package

angluar-cli is a malicious package. It contains malicious codes in its post-install scripts which attempt to remove files and stop processes related to McAfee antivirus on macOS...

GHSA-VMHW-FHJ6-M3G5 Path Traversal in angular-http-server

Versions of angular-http-server before 1.4.4 are vulnerable to path traversal. Recommendation Update to version 1.4.4 or later...

Path Traversal in angular-http-server

Versions of angular-http-server before 1.4.4 are vulnerable to path traversal. Recommendation Update to version 1.4.4 or later...

New Relic: CSTI at Plugin page leading to active stored XSS (Publisher name)

Hey team, I have discovered the CSTI vulnerability at NR single Plugin page leading to stored XSS. To plant the payload you need to publish new plugin using account having the payload inside its name. Below I show you the easiest way to reproduce this using a python script which creates the new...

Project iKy - Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface

Project iKy is a tool that collects information from an email and shows results in a nice visual interface. Visit the Gitlab Page of the Project Project First of all we want to advice you that we have changed the Frontend from AngularJS to Angular 7. For this reason we left the project with...

Denial Of Service (DoS)

@angular/platform-browser is vulnerable to denial of service DoS attacks. The vulnerability exists as clobbered elements can freeze the browser, causing DoS attacks...

Card-Skimming Scripts Hide Behind Google Analytics, Angular

A host of credit card-stealing scripts have popped up on the web, injected into websites and purporting to be legitimate Google Analytics or Angular utilities in order to avoid webmaster notice. According to research from Sucuri, the malicious code is obfuscated and injected into legitimate JS...

ecobee: CSTI on https://www.ecobee.com leads to XSS

Summary: Hi EcoBee team, the https://www.ecobee.com domain is vulnerable against angular injection via CSTI, that leads to XSS. Steps To Reproduce: 1. Go on https://www.ecobee.com/?s=x%20=%20%27y%27:%27%27.constructor.prototype;%20x%27y%27.charAt=.join;$eval%27x=alert/Mik/%27; 1. XSS executed...

GHSA-97GV-3P2C-XW7J Denial of Service and Content Injection in i18n-node-angular

Versions of i18n-node-angular prior to 1.4.0 are affected by denial of service and cross-site scripting vulnerabilities. The vulnerabilities exist in a REST endpoint that was created for development purposes, but was not disabled in production in affected versions. Recommendation Update to versio...

Denial of Service and Content Injection in i18n-node-angular

Versions of i18n-node-angular prior to 1.4.0 are affected by denial of service and cross-site scripting vulnerabilities. The vulnerabilities exist in a REST endpoint that was created for development purposes, but was not disabled in production in affected versions. Recommendation Update to versio...

Cross-Site Scripting (XSS)

angular-gettext is vulnerable to cross-site scripting. interpolationContext is passed to getString or getPlural functions in dist/angular-gettext.js and src/directive.js, which allows attackers to inject arbitrary Javascript code into a victim's browser when the attribute...

angular-rome (>=0.2.4 <=0.2.9), api-gate (>=0.0.8 <=0.0.14) +74 more potentially affected by CVE-2018-16487 +1 more via lodash._basemerge (>=2.0.0 <=2.4.1)

lodash.basemerge NPM version =2.0.0, =0.2.4, =0.0.8, =0.1.2, =0.5.0, =0.0.3, =0.0.2, =0.0.0, =0.1.3, =0.0.0, =0.0.1, =0.0.1, =0.0.1, =1.0.18, =1.1.16 and more Source cves: CVE-2018-16487, CVE-2018-3721 Source advisory: SNYK:JS-LODASHBASEMERGE-450200...

Directory Traversal

angular-http-server is vulnerable to directory traversal attacks. A malicious can send a curl request such as curl --path-as-is 'http://127.0.0.1:6060//etc/passwd' to gain access to sensitive files on the server. This vulnerability is related to CVE-2018-3713...