Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
| Dependency | Vulnerability IDs | Package | Highest Severity | CVE Count | Confidence | Evidence Count |
|---|---|---|---|---|---|---|
| angular:1.7.9 | pkg:npm/angular@1.7.9 | HIGH | 17 | 3 | ||
| trix:1.2.3 | pkg:npm/trix@1.2.3 | MEDIUM | 8 | 3 |
File Path: /var/lib/jenkins/workspace/ozone_service/controllers/Backup/package-lock.json?angular
Referenced In Project/Scope: package-lock.json: transitive
CVE-2022-25844 (OSSINDEX)
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-25844 for detailsCWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
CVE-2024-21490 (OSSINDEX)
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (NPM):
CVE-2024-8372 (OSSINDEX)
AngularJS - Improper Validation of Unsafe Equivalence in Input [CVE-2024-8372] AngularJS - Improper Validation of Unsafe Equivalence in Input [CVE-2024-8372]CWE-1289 Improper Validation of Unsafe Equivalence in Input
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-7676 (OSSINDEX)
angular - Cross-Site Scripting (XSS) [CVE-2020-7676] The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
CVE-2022-25869 (OSSINDEX)
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of `<textarea>` elements. NPM package [angular](https://www.npmjs.com/package/angular) is deprecated. Those who want to receive security updates should use the actively maintained package [@angular/core](https://www.npmjs.com/package/@angular/core).CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping `<option>` elements in `<select>` ones changes parsing behavior, leading to possibly unsanitizing code.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):
CVE-2023-26116 (OSSINDEX)
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
CVE-2023-26118 (OSSINDEX)
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-26118 for detailsCWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (OSSINDEX):
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (NPM):
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (NPM):
AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1. This package has been deprecated and is no longer maintained. 2. The vulnerable versions are 1.7.0 and higher.CWE-1333 Inefficient Regular Expression Complexity, CWE-770 Allocation of Resources Without Limits or Throttling
Vulnerable Software & Versions (NPM):
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.CWE-1333 Inefficient Regular Expression Complexity
Vulnerable Software & Versions (NPM):
### Summary XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to `JQLite` methods like `JQLite.prepend`, `JQLite.after`, `JQLite.append`, `JQLite.replaceWith`, `JQLite.append`, `new JQLite` and `angular.element`. ### Description JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in `jqLiteBuildFragment`. One of the modifications performed [expands an XHTML self-closing tag](https://github.com/angular/angular.js/blob/418355f1cf9a9a9827ae81d257966e6acfb5623a/src/jqLite.js#L218). If `jqLiteBuildFragment` is called (e.g. via `new JQLite(aString)`) with user-controlled HTML string that was sanitized (e.g. with [DOMPurify](https://github.com/cure53/DOMPurify)), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM. This is similar to a bug in jQuery `htmlPrefilter` function that was [fixed in 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/). ### Proof of concept ```javascript const inertPayload = `<div><style><style/><img src=x onerror="alert(1337)"/>` ``` Note that the style element is not closed and `<img` would be a text node inside the style if inserted into the DOM as-is. As such, some HTML sanitizers would leave the `<img` as is without processing it and stripping the `onerror` attribute. ```javascript angular.element(document).append(inertPayload); ``` This will alert, as `<style/>` will be replaced with `<style></style>` before adding it to the DOM, closing the style element early and reactivating `img`. ### Patches The issue is patched in `JQLite` bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability [affects jQuery <3.5.0](https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2). ### Workarounds Changing sanitizer configuration not to allow certain tag grouping (e.g. `<option><style></option>`) or inline style elements may stop certain exploitation vectors, but it's uncertain if all possible exploitation vectors would be covered. Upgrade of AngularJS to 1.8.0 is recommended. ### References https://github.com/advisories/GHSA-mhp6-pxh8-r675 https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://snyk.io/vuln/SNYK-JS-ANGULAR-570058CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):
Improper sanitization of the value of the `[srcset]` attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .CWE-1289 Improper Validation of Unsafe Equivalence in Input
Vulnerable Software & Versions (NPM):
Improper sanitization of the value of the `[srcset]` attribute in `<source>` HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .CWE-791 Incomplete Filtering of Special Elements
Vulnerable Software & Versions (NPM):
File Path: /var/lib/jenkins/workspace/ozone_service/controllers/Backup/package-lock.json?trix
Referenced In Project/Scope: package-lock.json: transitive
The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99. In https://github.com/basecamp/trix/pull/1149, we added sanitation for Trix attachments with a `text/html` content type. However, Trix only checks the content type on the paste event's `dataTransfer` object. As long as the `dataTransfer` has a content type of `text/html`, Trix parses its contents and creates an `Attachment` with them, even if the attachment itself doesn't have a `text/html` content type. Trix then uses the attachment content to set the attachment element's `innerHTML`. ### Impact An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches **Update Recommendation:** Users should upgrade to Trix editor version 2.1.4 or later, which incorporates proper sanitization of input from copied content. ### Workarounds This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as `script-src 'self'` to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using `script-src-elem`. ### References * https://github.com/basecamp/trix/pull/1156 * https://github.com/basecamp/trix/releases/tag/v2.1.4 * https://github.com/basecamp/trix/pull/1149 * https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99 * [MDN docs for `DataTransfer`](https://developer.mozilla.org/en-US/docs/Web/API/DataTransfer) ### Credits This vulnerability was reported by HackerOne researcher [thwin_htet](https://hackerone.com/thwin_htet?type=user).CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):
CVE-2024-34341 (OSSINDEX)
Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.
**Vulnerable Versions**:
- 1.x series up to and including 1.3.1
- 2.x series up to and including 2.1.0
**Fixed Versions**:
- v1.3.2
- v2.1.1
**Vector**:
- **Bug 1**: When copying content manipulated by a script, such as:
```js
document.addEventListener('copy', function(e){
e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
e.preventDefault();
});
```
and pasting into the Trix editor, the script within the content is executed.
- **Bug 2**: Similar execution occurs with content structured as:
```js
document.write(`copy<div data-trix-attachment="{"contentType":"text/html","content":"<img src=1 onerror=alert(101)>HELLO123"}"></div>me`);
```
### Impact:
An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
### Remediation:
**Update Recommendation**: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.
**CSP Enhancement**: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.
### References:
- https://github.com/basecamp/trix/releases/tag/v2.1.1
- https://github.com/basecamp/trix/pull/1147
- https://github.com/basecamp/trix/pull/1149
- https://github.com/basecamp/trix/pull/1153
**Credit**: These issues were reported by security researchers [loknop](https://hackerone.com/loknop) and [pinpie](https://hackerone.com/pinpie).CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Vulnerable Software & Versions (NPM):
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. ### Impact An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later. ### Workarounds This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. ### References https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 ### Credits This vulnerability was reported by Hackerone researcher https://hackerone.com/lio346?type=userCWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):
CVE-2024-43368 (OSSINDEX)
The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for GHSA-qjqp-xr96-cj99. In pull request 1149, sanitation was added for Trix attachments with a `text/html` content type. However, Trix only checks the content type on the paste event's `dataTransfer` object. As long as the `dataTransfer` has a content type of `text/html`, Trix parses its contents and creates an `Attachment` with them, even if the attachment itself doesn't have a `text/html` content type. Trix then uses the attachment content to set the attachment element's `innerHTML`. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This vulnerability was fixed in version 2.1.4.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
CVE-2024-53847 (OSSINDEX)
The Trix rich text editor, prior to versions 2.1.9 and 1.3.3, is vulnerable to cross-site scripting (XSS) + mutation XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.9 or 1.3.3, which uses DOMPurify to sanitize the pasted content. Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-53847 for detailsCWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
CVE-2025-21610 (OSSINDEX)
Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.12 or later to receive a patch. In addition to upgrading, affected users can disallow browsers that don't support a Content Security Policy (CSP) as a workaround for this and other cross-site scripting vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (OSSINDEX):
The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code. ### Impact An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.9 or later, which uses [DOMPurify](https://github.com/cure53/DOMPurify) to sanitize the pasted content. If using Trix 1.x, upgrade to version 1.3.3 or later. ### Mitigations This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. ### References The XSS vulnerability was reported by HackerOne researcher [hiumee](https://hackerone.com/hiumee?type=user). The mutation XSS vulnerability was reported by HackerOne researcher [sudi](https://hackerone.com/sudi?type=user).CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions (NPM):