Cross-Site Scripting (XSS)

@angular/core is vulnerable to cross-site scripting. An attacker is able to inject and execute arbitrary Javascript in a user's browser through SSR into a comment node...

FetLife: Stored XSS via Angular Expression injection via Subject while starting conversation with other users.

The reporter pointed out that the Subject field for sending private messages using FetLife's onsite chat was vulnerable to a stored XSS exploit, allowing people to execute potentially malicious contents on the receiving end of the message...

nodejs-angular: XSS due to regex-based HTML replacement

A XSS flaw was found in nodejs-angular. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code...

Cross-site Scripting (XSS)

Overview ngx-markdown-editor is an Angular markdown editor based on ace editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the markdown editor. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious scri...

Remote Code Execution (RCE)

angular-expressions is vulnerable to remote code execution RCE. The vulnerability exists through the use of the .constructor.constructor technique passed into the expressions.compile function...

CVE-2021-21277

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compileuserControlledInput" where "userControlledInput" is tex...

CVE-2021-21277

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compileuserControlledInput" where "userControlledInput" is tex...

Remote code execution

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compileuserControlledInput" where "userControlledInput" is tex...

CVE-2021-21277

The CVE-2021-21277 issue affects angular-expressions prior to 1.1.2. Affected component: the expressions.compile(userControlledInput) path, where user input can bypass security via a complex payload (notably using the .constructor.constructor technique). In the browser, this could run arbitrary b...

CVE-2021-21277 Angular Expressions - Remote Code Execution

angular-expressions is "angular's nicest part extracted as a standalone module for the browser and node". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call "expressions.compileuserControlledInput" where "userControlledInput" is tex...

GHSA-J6PX-JWVV-VPWQ Angular Expressions - Remote Code Execution

Impact The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compileuserControlledInput where userControlledInput is text that comes from user input. This time, the security of the package could be bypassed by using a more complex payload, using a...

@openagenda/agenda-docx (>=1.0.2 <=1.2.2), @patrickkeller/fishy-templater (=1.0.0) +30 more potentially affected by CVE-2021-21277 via angular-expressions (>=0.1.0 <=1.0.0)

angular-expressions NPM version =0.1.0, =1.0.2, =1.8.0, =1.0.0, =1.0.0, =0.5.2, =0.7.6, =1.4.0, =0.1.0, =0.2.1 and more Source cves: CVE-2021-21277 Source advisory: OSV:GHSA-J6PX-JWVV-VPWQ...

Angular Expressions - Remote Code Execution

Impact The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compileuserControlledInput where userControlledInput is text that comes from user input. This time, the security of the package could be bypassed by using a more complex payload, using a...

Peerigon angular-expressions code injection vulnerability

Peerigon angular-expressions is a Javascript-based codebase that can be used to extract browser nodes from Peerigon, Germany. A code injection vulnerability exists in angular-expressions 1.1.2, which allows remote code execution and can be exploited by an attacker to run any browser script...

PT-2021-14383 · Unknown · Angular-Expressions

Name of the Vulnerable Software and Affected Versions: angular-expressions versions prior to 1.1.2 Description: The issue allows Remote Code Execution if expressions.compileuserControlledInput is called where userControlledInput is text that comes from user input. The security of the package coul...

Scullyio Scully 注入漏洞

Scullyio Scully is a Typescript-based software for building Angular applications organized by Scullyio.Scully pre-renders every page in the application as plain HTML and CSS.To do this, Scully uses guessjs to find all the routes in the project. Scully then accesses each route, renders the view an...

kinvey-angular-sdk (>=3.4.0 <=3.5.3), kinvey-angular2-sdk (>=3.4.1 <=3.5.2) +6 more potentially affected by CVE-2020-7741 via hellojs (>=1.13.1 <=1.14.1)

hellojs NPM version =1.13.1, =3.4.0, =3.4.1, =3.4.1, =3.4.0, =3.4.1, =3.4.0, =3.4.0, =3.4.1, =3.5.2 Source cves: CVE-2020-7741 Source advisory: OSV:GHSA-7JH9-6CPF-H4M7...

nodejs-angular: XSS due to regex-based HTML replacement

A XSS flaw was found in nodejs-angular. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code...

kinvey-angular-sdk (>=3.4.0 <=3.5.3), kinvey-angular2-sdk (>=3.4.1 <=3.5.2) +6 more potentially affected by CVE-2020-7741 via hellojs (>=1.13.1 <=1.14.1)

hellojs NPM version =1.13.1, =3.4.0, =3.4.1, =3.4.1, =3.4.0, =3.4.1, =3.4.0, =3.4.0, =3.4.1, =3.5.2 Source cves: CVE-2020-7741 Source advisory: SNYK:JS-HELLOJS-1014546...

Malicious Package in angular-location-update

Version 0.0.3 of angular-location-update contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...