Angular <1.8.0 XSS Vulnerability (CVE-2020-7676) Advisory

Critical Vulnerability Information Vulnerability Type: Cross-site Scripting (XSS) Affected Package: angular Affected Versions: <1.8.0 CVE ID: CVE-2020-7676 CWE ID: CWE-79 Introduction Date: May 10, 2020 Severity: 5.0 (Medium) Remediation Recommendation: Upgrade angular to version 1.8.0 or higher Threat Intelligence: EPSS 0.75% (73rd percentile) Vulnerability Description Overview: - The angular package enables you to write web applications on the client side, especially with a smarter browser. It also allows you to use HTML as a template language and extend HTML syntax to express application components clearly and concisely. - Affected versions contain an XSS vulnerability. Regular expression input used for HTML replacement may result in code being returned un-sanitized. Code encapsulated within elements inside a element may lead to altered behavior, potentially being converted into unsanitized code. XSS Details: - XSS is a code vulnerability that occurs when an attacker "injects" malicious scripts into a trusted website. - Attackers inject malicious scripts into web application content, which then execute unvalidated on the client side (typically JavaScript or HTML). - Injecting malicious code is the most common method of exploiting XSS. To prevent such attacks, escaping characters to avoid this vulnerability is the primary defense mechanism. Attack Types: - Stored: Malicious code is stored on the server and activated when users click on a link. - Reflected: Attackers send malicious links to users from outside the vulnerable web application; when clicked, the malicious script is returned to the user’s browser. - DOM-based: Attackers force the user’s browser to render a malicious page, where the page itself supplies the cross-site scripting data. - Variant: Attackers inject code that appears safe but is rewritten and modified when parsed by the browser. Affected Environments: Web servers, application servers, web application environments. Mitigation Measures: - Sanitize data in HTTP requests. - Escape special characters. - Provide users with an option to disable client-side scripts. - Redirect invalid requests. - Detect simultaneous logins. - Implement Content Security Policy (CSP). - Review documentation of referenced libraries to understand which elements allow embedded HTML.

Goal Reached Thanks to every supporter — we hit 100%!

Angular <1.8.0 XSS Vulnerability (CVE-2020-7676) Advisory