CVE-2024-33665 - Angular Translate XSS
Overview
angular-translate is a JavaScript translation library for AngularJS 1.x apps.
A cross-site scripting (XSS) vulnerability has been identified within angular-translate.
Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.
Details
Module Info
- Package manager: npm
- Affected module: angular-translate
- Affected versions: >=v2.4.0
- Link to published package: https://www.npmjs.com/package/angular-translate
- Github repo: https://github.com/angular-translate/angular-translate
Vulnerability Info
Unsanitized keys used by the translate directive to apply translations are vulnerable to XSS attacks. With carefully-crafted input, this can result in the injection of malicious scripts into application code, also known as a XSS attack. Such malicious code can be used to exfiltrate sensitive data to remote servers.
Steps to Reproduce
The translate directive does not sanitize all inputs. This allows an attacker to inject malicious scripts by entering malicious code into an input field. See the Proof of Concept.
Proof of Concept
https://stackblitz.com/github/neverendingsupport/angular-translate-xss-2024?file=package.json
Remediation
Angular-Translate is end-of-life, though commercial support is available from HeroDevs. This vulnerability has been addressed in a patch by HeroDevs.