uriel-mend-app[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
AngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Vulnerabilities
Details
CVE-2019-10768
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsIn AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.
Publish Date: 2019-11-19
URL: CVE-2019-10768
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10768
Release Date: 2019-11-19
Fix Resolution (angular): v1.7.9
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0126
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsAffected versions of the package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc
Publish Date: 2013-11-12
URL: WS-2017-0126
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Change files
Release Date: 2013-11-22
Fix Resolution (angular): Replace or update the following files: compileSpec.js, compile.js
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2019-14863
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsThere is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Publish Date: 2020-01-02
URL: CVE-2019-14863
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-01-02
Fix Resolution (angular): angular - v1.5.0-beta.1;org.webjars:angularjs:1.5.0-rc.0
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2018-0001
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsJSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.
Publish Date: 2016-09-20
URL: WS-2018-0001
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-28hp-fgcr-2r4h
Release Date: 2016-09-20
Fix Resolution (angular): 1.6.0
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0118
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsAffected versions of the package are vulnerable to Mutation Cross-site Scripting (mXSS).
Publish Date: 2015-09-08
URL: WS-2017-0118
### CVSS 3 Score Details (5.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-01-31
Fix Resolution (angular): v1.5.0-beta.1
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0114
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability Detailsangular.js lacks $sce context for link[href] which makes it vulnerable to XSS attacks.
Publish Date: 2016-05-27
URL: WS-2017-0114
### CVSS 3 Score Details (5.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2017-0114
Release Date: 2016-05-27
Fix Resolution (angular): angular - 1.2.30;angular - v1.0.7,v1.2.17-build.100+sha.feb54d6,v1.2.27-build.491+sha.07d6242,v1.2.0-rc.1,v1.2.30-build.604+sha.34e5623;org.webjars:angularjs - 1.3.0-beta.11
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0116
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsThe use element can reference external svg's (same origin) and can include xlink javascript urls or foreign object that can execute xss.
Publish Date: 2015-12-05
URL: WS-2017-0116
### CVSS 3 Score Details (5.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Change files
Release Date: 2015-12-06
Fix Resolution (angular): Replace or update the following files: sanitize.js, sanitizeSpec.js
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0117
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsAffected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks.
Publish Date: 2015-11-30
URL: WS-2017-0117
### CVSS 3 Score Details (5.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Change files
Release Date: 2015-12-06
Fix Resolution (angular): Replace or update the following files: parseSpec.js, parse.js
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2018-0022
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsXSS vulnerability in angular.js (1.6.8 and before)
Publish Date: 2018-01-06
URL: WS-2018-0022
### CVSS 2 Score Details (5.5)Base Score Metrics not available
### Suggested FixType: Upgrade version
Release Date: 2018-01-21
Fix Resolution (angular): 1.6.9
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2018-0002
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsWhen rendering Angular templates with a server-side templating engine like ERB or Haml it is easy to introduce XSS vulnerabilities. These vulnerabilities are enabled by AngularJS evaluating user-provided strings containing interpolation symbols (default symbols are {{ and }}).
Publish Date: 2014-05-20
URL: WS-2018-0002
### CVSS 2 Score Details (5.5)Base Score Metrics not available
### Suggested FixType: Change files
Release Date: 2014-05-20
Fix Resolution (angular): Replace or update the following files: interpolate.js, interpolateSpec.js
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-7676
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability Detailsangular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676
Release Date: 2020-06-08
Fix Resolution (angular): 1.8.0
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0124
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsAffected versions of the package are vulnerable to Cross-site Scripting (XSS).
Publish Date: 2014-09-08
URL: WS-2017-0124
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Change files
Release Date: 2014-09-30
Fix Resolution (angular): Replace or update the following files: ngSrcSpec.js, compileSpec.js, compile.js, ngSrcsetSpec.js
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0122
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsAffected versions of the package are vulnerable to Arbitrary Command Injection.
Publish Date: 2014-11-04
URL: WS-2017-0122
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Change files
Release Date: 2014-11-07
Fix Resolution (angular): Replace or update the following files: parseSpec.js, app.js, main.html, parse.js
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0125
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsIt was possible to run arbitrary JS from inside angular expressions using the `Object.getOwnPropertyDescriptor` method since commit 4ab16aa
Publish Date: 2014-06-08
URL: WS-2017-0125
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2014-06-08
Fix Resolution (angular): v1.3.0-beta.14
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2018-0589
### Vulnerable Library - nwmatcher-1.3.9.tgzA CSS3-compliant JavaScript selector engine.
Library home page: https://registry.npmjs.org/nwmatcher/-/nwmatcher-1.3.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nwmatcher/package.json
Dependency Hierarchy: - angular-1.2.0.tgz (Root Library) - jsdom-0.8.11.tgz - :x: **nwmatcher-1.3.9.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsA Regular Expression vulnerability was found in nwmatcher before 1.4.4. The fix replacing multiple repeated instances of the "\s*" pattern.
Publish Date: 2018-03-05
URL: WS-2018-0589
### CVSS 2 Score Details (4.0)Base Score Metrics not available
### Suggested FixType: Upgrade version
Release Date: 2018-03-05
Fix Resolution (nwmatcher): 1.4.4
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue
WS-2017-0268
### Vulnerable Library - angular-1.2.0.tgzAngularJS provided as a CommonJS module. Compiled with jsdom when running in Node. Useful for client-side apps built with Browserify and for testing AngularJS code in Node without depending on a browser.
Library home page: https://registry.npmjs.org/angular/-/angular-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/angular/package.json
Dependency Hierarchy: - :x: **angular-1.2.0.tgz** (Vulnerable Library)
Found in HEAD commit: 94f729510068f5d8203d19d5a1c9c50f8f631e8d
Found in base branch: main
### Vulnerability DetailsBoth Firefox and Safari are vulnerable to XSS if we use an inert document created via `document.implementation.createHTMLDocument()`.
Publish Date: 2017-05-25
URL: WS-2017-0268
### CVSS 2 Score Details (3.4)Base Score Metrics not available
### Suggested FixType: Change files
Release Date: 2017-07-06
Fix Resolution (angular): Replace or update the following file: jsrepository.json
Direct dependency fix Resolution (angular): 1.6.9
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.