WS-2017-0113 Medium Severity Vulnerability detected by WhiteSource #34
Description
WS-2017-0113 - Medium Severity Vulnerability
Vulnerable Library - angularjs.core.1.5.5.nupkg
See the AngularJS.* packages for other Angular modules
path: /build-radiator/BuildRadiator/packages.config
Library home page: https://api.nuget.org/packages/angularjs.core.1.5.5.nupkg
Dependency Hierarchy:
- ❌ angularjs.core.1.5.5.nupkg (Vulnerable Library)
Vulnerability Details
Extension URIs (resource://...) bypass Content-Security-Policy in Chrome and
Firefox and can always be loaded. Now if a site already has a XSS bug, and uses
CSP to protect itself, but the user has an extension installed that uses
Angular, an attacked can load Angular from the extension, and Angular's
auto-bootstrapping can be used to bypass the victim site's CSP protection.
Publish Date: 2017-01-20
URL: WS-2017-0113
CVSS 2 Score Details (5.2)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: angular/angular.js@0ff10e1
Release Date: 2016-11-02
Fix Resolution: Replace or update the following files: Angular.js, .eslintrc.json, AngularSpec.js
Step up your Open Source Security Game with WhiteSource here