AngularJS Improper SVG Image Source Sanitization Vulnerability Allowing Content Spoofing

A vulnerability exists in all versions of AngularJS due to improper sanitization of the 'href' and 'xlink:href' attributes in '<image>' SVG elements. This flaw allows attackers to bypass standard image source restrictions, potentially leading to content spoofing and adversely affecting the application's performance by loading excessively large or slow images. Notably, the AngularJS project is End-of-Life and will not receive updates to address this issue.

Impact

Exploitation of this vulnerability can cause content spoofing, where injected images from disallowed sources are displayed, potentially misleading users. Additionally, it can degrade application performance by loading large or slow images.

Reproduction

To reproduce this vulnerability, create an AngularJS application and configure the '$compileProvider' to restrict image sources to a specific domain. Then, use the 'ngHref' or 'ngAttrHref' directives to bind an image source from a disallowed domain, effectively bypassing the configured restrictions. This can also be done by interpolating the 'href' attribute with a disallowed image URL or a data URL containing an SVG image.

Remediation

Users should migrate applications away from AngularJS or seek post-EOL security support from a commercial partner like HeroDevs.