CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-8373: AngularJS improper sanitization in '' element

4.8 CVSS

Description

Improper sanitization of the value of the [srcset] attribute in HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .

This issue affects all versions of AngularJS.

Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

Classification

CVE ID: CVE-2024-8373

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.8

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem Types

CWE-791: Incomplete Filtering of Special Elements

Affected Products

Vendor: Google

Product: AngularJS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.85% (scored less or equal to compared to others)

EPSS Date: 2025-05-27 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8373
https://www.herodevs.com/vulnerability-directory/cve-2024-8373
https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b

Timeline

2025-04-28 14:40:23 UTC
CVE

AngularJS improper sanitization in '' element