Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yM2hmLXE4cTctZnYycM4AA1LN
Angular critical CSS inlining Cross-site Scripting Vulnerability Advisory
Impact
Angular Universal applications on 16.1.0 and 16.1.1 using critical CSS inlining are vulnerable to a cross-site scripting (XSS) attack where an attacker can trick another user into visiting a page which injects malicious JavaScript.
Angular CLI applications without Universal do perform critical CSS inlining as well, however exploiting this requires a malicious actor to already have access to modify source code directly.
Patches
@nguniversal/common
should be upgraded to 16.1.2 or higher. 16.2.0-rc.0 is safe.
Workarounds
The easiest solution is likely to upgrade Universal to 16.1.2 or downgrade to 16.0.x or lower. Alternatively you can override specifically the critters
dependency with version 0.0.20
in your package.json
.
{
"overrides": {
"critters": "0.0.20"
}
}
References Permalink: https://github.com/advisories/GHSA-r3hf-q8q7-fv2p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yM2hmLXE4cTctZnYycM4AA1LN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 9 months ago
Identifiers: GHSA-r3hf-q8q7-fv2p
References:
- https://github.com/angular/universal/security/advisories/GHSA-r3hf-q8q7-fv2p
- https://github.com/advisories/GHSA-r3hf-q8q7-fv2p
Blast Radius: 0.0
Affected Packages
npm:@nguniversal/common
Dependent packages: 59Dependent repositories: 3,271
Downloads: 474,078 last month
Affected Version Ranges: >= 16.1.0, < 16.1.2
Fixed in: 16.1.2
All affected versions: 16.1.0, 16.1.1
All unaffected versions: 0.0.0, 5.0.0, 6.0.0, 6.1.0, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.1.1, 8.1.0, 8.1.1, 8.2.5, 8.2.6, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.2.0, 11.2.1, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 13.0.0, 13.0.1, 13.0.2, 13.1.0, 13.1.1, 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.1.0, 14.2.0, 14.2.1, 14.2.2, 14.2.3, 15.0.0, 15.1.0, 15.2.0, 15.2.1, 16.0.0, 16.0.1, 16.0.2, 16.1.2, 16.1.3, 16.2.0