Source: angular.js Version: 1.8.3-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for angular.js. Note it is not clear if this affects as well the old version in Debian, can you investigate? CVE-2025-66412[0]: | Angular is a development platform for building mobile and desktop | web applications using TypeScript/JavaScript and other languages. | Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting | (XSS) vulnerability has been identified in the Angular Template | Compiler. It occurs because the compiler's internal security schema | is incomplete, allowing attackers to bypass Angular's built-in | security sanitization. Specifically, the schema fails to classify | certain URL-holding attributes (e.g., those that could contain | javascript: URLs) as requiring strict URL security, enabling the | injection of malicious scripts. This vulnerability is fixed in | 21.0.2, 20.3.15, and 19.2.17. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66412 https://www.cve.org/CVERecord?id=CVE-2025-66412 [1] https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49 [2] https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
