Angular and AngularJS Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in all versions of Angular and AngularJS packages. This issue arises from insecure page caching in Internet Explorer, which permits the interpolation of <textarea> elements. As a result, an attacker could inject malicious scripts that are executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed by the user's browser, potentially leading to session hijacking or cookie theft.

Reproduction

To reproduce this vulnerability, inject a script into a <textarea> element that could be harmful if executed, such as a script using AngularJS's $eval constructor to run JavaScript code. After injecting the script, navigate away from the page and then return using the browser's back button. The injected script will be executed, demonstrating the XSS vulnerability.

Remediation

There is no fixed version available for the vulnerable packages. However, users can refer to the official documentation for guidance on how to sanitize inputs and prevent XSS vulnerabilities.