CVE-2017-16009
Cross-site Scripting (XSS) vulnerability in ag-grid (npm)
What is CVE-2017-16009 About?
Affected versions of `ag-grid` are vulnerable to Cross-site Scripting (XSS) when used in conjunction with AngularJS. This allows attackers to inject and execute malicious scripts via Angular Expressions. This vulnerability is moderately complex to exploit, as it requires specific environmental conditions (AngularJS integration) to trigger the XSS.
Affected Software
Technical Details
The ag-grid library in its affected versions, when integrated with AngularJS, is vulnerable to Cross-site Scripting (XSS) via Angular Expressions. This occurs because ag-grid may process user-controlled input as Angular Expressions without sufficient sanitization. An attacker can inject malicious Angular Expression syntax into data displayed by ag-grid. When AngularJS then processes this input, the malicious expression is evaluated, leading to the execution of arbitrary JavaScript code in the context of the user's browser. This bypasses content security policies that might otherwise prevent XSS, as the execution happens within AngularJS's trusted context.
What is the Impact of CVE-2017-16009?
Successful exploitation may allow attackers to execute arbitrary script code in the context of the user's browser, steal session cookies, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2017-16009?
Exploiting this vulnerability involves crafting a malicious Angular Expression as input to ag-grid. The complexity is moderate, as it requires knowledge of AngularJS expression syntax and ag-grid data handling. No authentication is required if ag-grid displays user-controlled, unsanitized input. This is typically a remote client-side attack, where an attacker injects the malicious payload through input fields or URL parameters that feed into the ag-grid component. The critical prerequisite is the combined use of ag-grid and AngularJS, and the lack of proper input sanitization before binding data to the grid. The risk increases for applications that widely display user-generated content in ag-grid.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16009?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ag-grid/ag-grid
- https://spring.io/blog/2016/01/28/angularjs-escaping-the-expression-sandbox-for-xss
- https://github.com/ceolter/ag-grid/issues/1287
- https://nodesecurity.io/advisories/327
- https://nvd.nist.gov/vuln/detail/CVE-2017-16009
- https://spring.io/blog/2016/01/28/angularjs-escaping-the-expression-sandbox-for-xss
- https://github.com/ceolter/ag-grid/issues/1287
- https://osv.dev/vulnerability/GHSA-wfw3-rgfr-6g67
What are Similar Vulnerabilities to CVE-2017-16009?
Similar Vulnerabilities: CVE-2016-1000346 , CVE-2016-1000347 , CVE-2016-1000348 , CVE-2017-14008 , CVE-2017-14009
