CVE-2022-25869
Cross-site Scripting (XSS) vulnerability in angular (npm)
What is CVE-2022-25869 About?
This vulnerability affects all versions of the 'angular' package, allowing for Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser. Attackers can leverage this to inject malicious scripts, potentially leading to session hijacking or data theft. Exploitation requires specific browser conditions but can be relatively easy once those conditions are met.
Affected Software
Technical Details
The Cross-site Scripting (XSS) vulnerability in the 'angular' package arises from insecure page caching mechanisms specific to the Internet Explorer browser. When an Angular application is rendered and cached by Internet Explorer, the browser may improperly handle the interpolation of <textarea> elements or other templated content. An attacker can craft a malicious input that, when processed by a vulnerable Angular application and subsequently cached by Internet Explorer, becomes embedded within the cached page. Upon a revisit, the browser renders the cached page, executing the attacker's injected script within the context of the vulnerable application's domain, thereby bypassing the Same-Origin Policy through a client-side vector.
What is the Impact of CVE-2022-25869?
Successful exploitation may allow attackers to inject malicious scripts into web pages, leading to session hijacking, defacement, sensitive data theft, or arbitrary actions performed in the victim's browser.
What is the Exploitability of CVE-2022-25869?
Exploitation typically involves convincing a victim to visit a malicious or compromised web page while using the Internet Explorer browser. The complexity is medium, as it requires understanding how insecure caching in IE interacts with Angular's rendering. No specific authentication is required to trigger the vulnerability from the victim's side, but the victim must be authenticated to the target web application for session hijacking. No specific privileges are needed on the target web server; the vulnerability is client-side. This is a remote vulnerability, relying on typical web-based attack vectors. A special condition is that the victim must be using the Internet Explorer browser, which has specific insecure page caching behavior, and the application must use the vulnerable 'angular' package. The risk factors that increase exploitation likelihood include a user base still utilizing Internet Explorer, especially in enterprise environments, and a lack of input sanitization in the Angular application.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| neverendingsupport | Link | A minimal reproduction of an AngularJS <textarea> XSS vulnerability on IE (tracked as CVE-2022-25869). |
What are the Available Fixes for CVE-2022-25869?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782
- https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJSCORE-6084031
- https://snyk.io/vuln/SNYK-JS-ANGULAR-2949781
- https://www.npmjs.com/package/angular
- https://osv.dev/vulnerability/GHSA-prc3-vjfx-vhm9
- https://security.snyk.io/vuln/SNYK-DOTNET-ANGULARJSCORE-6084031
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2949784
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949782
- https://nvd.nist.gov/vuln/detail/CVE-2022-25869
What are Similar Vulnerabilities to CVE-2022-25869?
Similar Vulnerabilities: CVE-2022-25921 , CVE-2022-23541 , CVE-2021-23385 , CVE-2021-39225 , CVE-2020-7798
