Angular Template Compiler Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Angular Template Compiler, affecting versions prior to 21.0.2, 20.3.15, 19.2.17, and 18.2.14. The vulnerability arises from an incomplete internal security schema, which allows attackers to bypass Angular's built-in security sanitization. Certain URL-holding attributes, such as those that could contain 'javascript:' URLs, were not properly classified as requiring strict URL security. This oversight enabled the injection of malicious scripts. Additionally, SVG animation elements could be exploited by targeting security-sensitive attributes on other elements, leading to the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary code within the context of the vulnerable application's domain, potentially leading to session hijacking, data exfiltration, and unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, bind untrusted data to vulnerable attributes such as 'xlink:href' or 'attributeName' of SVG animation elements. The Angular application must then be interacted with in a way that triggers the execution of the injected script, such as clicking on the element or allowing an animation to play.

Remediation

Users can upgrade to Angular versions 21.0.2, 20.3.15, or 19.2.17 to address this vulnerability. If an upgrade is not possible, ensure that data bound to vulnerable attributes is sourced from trusted inputs, avoid dynamic bindings of security-sensitive attributes on iframes, and configure a robust Content Security Policy that disallows 'javascript:' URLs.