SB2024101619 - Cross-site scripting in angular-translate angular-translate
Published: October 16, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2024-33665)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker could exploit this vulnerability using a specially crafted key to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Remediation
Install update from vendor's website.
References
- https://github.com/angular-translate/angular-translate/issues/1418
- https://stackblitz.com/github/neverendingsupport/angular-translate-xss-2024?file=public%2Findex.html
- http://docs.herodevs.com/docs/2024-Angular-Translate-XSS
- https://github.com/angular-translate/angular-translate/issues/1418#issuecomment-252498855