CVE-2021-4231
Cross Site Scripting vulnerability in core (npm)
What is CVE-2021-4231 About?
This vulnerability in Angular versions up to 11.0.4/11.1.0-next.2 is a Cross-Site Scripting (XSS) flaw caused by improper handling of comments. Manipulation of comments injects and executes untrusted code in the user's browser, leading to client-side attacks. It is possible to launch the attack remotely, but it might require prior authentication.
Affected Software
- @angular/core
- <10.2.5
- >11.0.0, <11.0.5
- >11.1.0-next.0, <11.1.0-next.3
Technical Details
The vulnerability lies within Angular's handling of comments in versions up to 11.0.4 and 11.1.0-next.2. Specifically, the framework fails to properly sanitize or neutralize malicious script embedded within comments. When an attacker-controlled comment is processed and rendered by an Angular application, the embedded script is executed in the context of the user's browser. This bypasses the browser's same-origin policy, allowing the attacker to perform actions such as stealing session cookies, defacing the website, or redirecting the user to malicious sites.
What is the Impact of CVE-2021-4231?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, data theft, defacement, or redirection to malicious websites.
What is the Exploitability of CVE-2021-4231?
Exploitation of this XSS vulnerability has moderate complexity. It can be launched remotely, but may require the attacker to have prior authentication to the application to inject malicious content into comments. No elevated privileges are explicitly stated. The attack vector involves injecting specially crafted content into comments that are subsequently rendered by a vulnerable Angular application. The risk increases if the application allows authenticated users to submit comments without stringent sanitization, or if the authentication mechanism is weak.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-4231?
Available Upgrade Options
- @angular/core
- <10.2.5 → Upgrade to 10.2.5
- @angular/core
- >11.0.0, <11.0.5 → Upgrade to 11.0.5
- @angular/core
- >11.1.0-next.0, <11.1.0-next.3 → Upgrade to 11.1.0-next.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902
- https://nvd.nist.gov/vuln/detail/CVE-2021-4231
- https://vuldb.com/?id.181356
- https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09
- https://github.com/angular/angular/issues/40136
- https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902
- https://osv.dev/vulnerability/GHSA-c75v-2vq8-878f
- https://github.com/angular/angular/issues/40136
- https://github.com/angular/angular
- https://github.com/angular/angular/commit/0aa220bc0000fc4d1651ec388975bbf5baa1da36
What are Similar Vulnerabilities to CVE-2021-4231?
Similar Vulnerabilities: CVE-2023-42468 , CVE-2023-42467 , CVE-2023-42466 , CVE-2023-42465 , CVE-2023-42115
