WS-2017-0120 (High) detected in angular-1.4.2.min.js

[mend-bolt-for-github]

WS-2017-0120 - High Severity Vulnerability

Vulnerable Library - angular-1.4.2.min.js

AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.2/angular.min.js

Path to dependency file: /tmp/ws-scm/docs/website/node_modules/autocomplete.js/test/playground_angular.html

Path to vulnerable library: /docs/website/node_modules/autocomplete.js/test/playground_angular.html,/docs/website/node_modules/autocomplete.js/examples/basic_angular.html

Dependency Hierarchy:

• ❌ angular-1.4.2.min.js (Vulnerable Library)

Found in HEAD commit: ca11a4f0e463609c810b9803e548bbb3c771cf8f

Vulnerability Details

No proper sanitize of xlink:href attribute interoplation, thus vulnerable to Cross-site Scripting (XSS).

Publish Date: 2017-01-20

URL: WS-2017-0120

CVSS 2 Score Details (7.8)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: angular/angular.js@f33ce17

Release Date: 2015-09-18

Fix Resolution: Replace or update the following files: compileSpec.js, compile.js

---

Step up your Open Source Security Game with WhiteSource here