{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8373", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "state": "PUBLISHED", "assignerShortName": "HeroDevs", "dateReserved": "2024-09-02T08:44:29.571Z", "datePublished": "2024-09-09T14:48:41.513Z", "dateUpdated": "2025-05-28T17:39:12.299Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "angular", "product": "AngularJS", "repo": "https://github.com/angular/angular.js", "vendor": "Google", "versions": [{"status": "affected", "version": ">=0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "George Kalpakas"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper sanitization of the value of the <tt>[srcset]</tt> attribute in <tt>&lt;source&gt;</tt> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of <a target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\">Content Spoofing</a>.<br><br>This issue affects all versions of AngularJS.<br><br><b>Note:</b><br>The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\">here</a>."}], "value": "Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}, {"capecId": "CAPEC-148", "descriptions": [{"lang": "en", "value": "CAPEC-148 Content Spoofing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-791", "description": "CWE-791: Incomplete Filtering of Special Elements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2025-05-28T17:39:12.299Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"}, {"tags": ["technical-description", "exploit"], "url": "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned", "x_open-source"], "title": "AngularJS improper sanitization in '<source>' element", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "angularjs", "product": "angular.js", "cpes": ["cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-09T15:04:03.093398Z", "id": "CVE-2024-8373", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T15:06:07.489Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20241122-0003/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-11-22T12:04:52.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20241122-0003/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-11-22T12:04:52.671Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8373", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-09T15:04:03.093398Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"], "vendor": "angularjs", "product": "angular.js", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T15:06:02.570Z"}}], "cna": {"tags": ["unsupported-when-assigned", "x_open-source"], "title": "AngularJS improper sanitization in '<source>' element", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "George Kalpakas"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}, {"capecId": "CAPEC-148", "descriptions": [{"lang": "en", "value": "CAPEC-148 Content Spoofing"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/angular/angular.js", "vendor": "Google", "product": "AngularJS", "versions": [{"status": "affected", "version": ">=0.0.0", "versionType": "semver"}], "packageName": "angular", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8373", "tags": ["third-party-advisory"]}, {"url": "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b", "tags": ["technical-description", "exploit"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .", "supportingMedia": [{"type": "text/html", "value": "Improper sanitization of the value of the <tt>[srcset]</tt> attribute in <tt>&lt;source&gt;</tt> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of <a target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\">Content Spoofing</a>.<br><br>This issue affects all versions of AngularJS.<br><br><b>Note:</b><br>The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\">here</a>.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-791", "description": "CWE-791: Incomplete Filtering of Special Elements"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2025-05-28T17:39:12.299Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8373", "state": "PUBLISHED", "dateUpdated": "2025-05-28T17:39:12.299Z", "dateReserved": "2024-09-02T08:44:29.571Z", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "datePublished": "2024-09-09T14:48:41.513Z", "assignerShortName": "HeroDevs"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD75661F-C7AA-4B3D-8489-948BEA89237C", "versionEndIncluding": "1.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*", "matchCriteriaId": "E8F29E19-3A64-4426-A2AA-F169440267CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."}, {"lang": "es", "value": "La desinfecci\u00f3n incorrecta del valor del atributo [srcset] en los elementos HTML en AngularJS permite a los atacantes eludir las restricciones comunes de origen de las im\u00e1genes, lo que tambi\u00e9n puede provocar una forma de suplantaci\u00f3n de contenido https://owasp.org/www-community/attacks/Content_Spoofing . Este problema afecta a todas las versiones de AngularJS. Nota: El proyecto AngularJS ha llegado al final de su vida \u00fatil y no recibir\u00e1 ninguna actualizaci\u00f3n para solucionar este problema. Para obtener m\u00e1s informaci\u00f3n, consulte aqu\u00ed https://docs.angularjs.org/misc/version-support-status."}], "id": "CVE-2024-8373", "lastModified": "2025-02-12T20:15:05.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-09-09T15:15:12.887", "references": [{"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b"}, {"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20241122-0003/"}], "sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-791"}], "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "angular: From NVD collector", "id": "2310872", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310872"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-791", "details": ["Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\nThis issue affects all versions of AngularJS.\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .", "A flaw was found in AngularJS. An improper sanitization of the srcset attribute in the source may allow attackers to bypass common image source restrictions, which may allow Content Spoofing."], "mitigation": {"lang": "en:us", "value": "Currently no mitigation is available for this vulnerability."}, "name": "CVE-2024-8373", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "polkit", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird:flatpak/thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "io.hawt-hawtio-integration", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "io.hawt-hawtio-online", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "io.hawt-project", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "io.hawt-project", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "io.hawt-project", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "io.hawt-project", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "qpid-dispatch", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-09-09T15:15:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8373\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8373\nhttps://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b\nhttps://www.herodevs.com/vulnerability-directory/cve-2024-8373"], "threat_severity": "Low"}

{}