All versions of Angular.js prior to 1.5.0-beta1 are vulnerable to click-hijacking.
This was caused by the svg support being turned on by default.
The svg support is now an opt-in. Applications that depend on this option can turn it back on but they should inform themselves on preventing the vulnerability while the option is turned on.
WS-2017-0119 - High Severity Vulnerability
AngularJS module for sanitizing HTML
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular-sanitize/1.3.0/angular-sanitize.min.js
Path to vulnerable library: /Scripts/angular-sanitize.min.js
Dependency Hierarchy: - :x: **angular-sanitize-1.3.0.min.js** (Vulnerable Library)
Found in HEAD commit: df351b2afd89988ab17bca6c76add5ddebcf055b
Found in base branch: main
All versions of Angular.js prior to 1.5.0-beta1 are vulnerable to click-hijacking. This was caused by the svg support being turned on by default. The svg support is now an opt-in. Applications that depend on this option can turn it back on but they should inform themselves on preventing the vulnerability while the option is turned on.
Publish Date: 2015-08-07
URL: WS-2017-0119
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2015-08-07
Fix Resolution: v1.5.0-beta.1
Step up your Open Source Security Game with Mend here