WS-2017-0120 (High) detected in angular-1.4.2.min.js

[mend-bolt-for-github[bot]]

WS-2017-0120 - High Severity Vulnerability

Vulnerable Library - angular-1.4.2.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.2/angular.min.js

Path to dependency file: /tmp/ws-scm/aevum-docs/node_modules/autocomplete.js/examples/basic_angular.html

Path to vulnerable library: /aevum-docs/node_modules/autocomplete.js/examples/basic_angular.html,/aevum-docs/node_modules/autocomplete.js/test/playground_angular.html

Dependency Hierarchy: - :x: **angular-1.4.2.min.js** (Vulnerable Library)

Found in HEAD commit: 1148f88a5aea4731d79b43613393a2cf3a574d19

Vulnerability Details

No proper sanitize of xlink:href attribute interoplation, thus vulnerable to Cross-site Scripting (XSS).

Publish Date: 2017-01-20

URL: WS-2017-0120

CVSS 2 Score Details (7.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: https://github.com/angular/angular.js/commit/f33ce173c90736e349cf594df717ae3ee41e0f7a

Release Date: 2015-09-18

Fix Resolution: Replace or update the following files: compileSpec.js, compile.js

---

Step up your Open Source Security Game with WhiteSource here

[issue-label-bot[bot]]

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.89. Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback!

Links: app homepage, dashboard and code for this bot.