Cross-site Scripting (XSS) Affecting angularjs.core package, versions [,1.5.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-DOTNET-ANGULARJSCORE-1579451
- published23 Jan 2017
- disclosed4 Dec 2015
- creditPete Bacon Darwin
Introduced: 4 Dec 2015
CVE NOT AVAILABLE CWE-79 (opens in a new tab)How to fix?
Upgrade AngularJS.Core to version 1.5.0 or higher.
Overview
AngularJS.Core is a AngularJS.* package for other Angular modules within .NET.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS)
via the SVG <use> element.
The <use> element can reference external SVG's (same origin) and can include xlink:href javascript urls or foreign object that can execute XSS. The change disallows <use> elements in sanitized SVG markup.
An example of a malicious SVG document would be:
SVG to sanitize:
<svg><use xlink:href="test.svg#xss" /></svg>
External SVG file (test.svg):
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg" width="100"
height="100"
id="xss">
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)">
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
</a>
</svg>
Here the SVG to sanitize loads in the test.svg file via the <use> element. The sanitizer is not able to parse this file, which contains malicious executable mark-up.
This can only be taken advantage of if the external file is available via the
same origin restrictions in place.