CVE-2024-33665

Cross-Site Scripting
Affects
Angular Translate
>=2.19.1
in
AngularJS
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Steps To Reproduce:

The vulnerability can be triggered by injecting malicious code into input fields that are then processed by the translate directive. A proof of concept demonstrating this exploit is available on StackBlitz, showing how malicious scripts can be introduced into a system using angular-translate.

Addressing The Issue:

Despite angular-translate for AngularJS reaching its end-of-life, HeroDevs has stepped up to provide a critical patch to address this vulnerability. This patch ensures that input keys are properly sanitized, thus blocking the potential for XSS attacks through this vector.

HeroDevs clients paying for AngularJS Essentials Never-Ending Support received the fix for this issue in the latest NES version of angular-translate (angularjs-essentials@1.8.3-angular-translate-2.20.1). If you haven’t installed the latest version yet or need assistance, please contact our support team for help.

For all other Angular-translate users, please consider a speedy migration away from Angular-translate. Alternatively, please reach out to explore how easy it is to receive secure AngularJS updates from HeroDevs.

Learning And Prevention:

To further assist the community, HeroDevs offers detailed guidance on preventing similar vulnerabilities in the future. Key strategies include sanitizing data inputs, particularly those that interact with critical components like translation directives. We also recommend regularly reviewing and updating third-party libraries to catch and address potential security flaws before they can be exploited.

Conclusion:

CVE-2024-33665 serves as a reminder of the importance of maintaining and securing software, even after it has reached end-of-life. With proactive measures and community support, we can ensure a safer digital environment for all users.

If you are interested in receiving security, compliance, and compatibility support for AngularJS and supporting libraries, please contact us about Angular.

Stay secure and ensure your systems are updated with the latest patches from HeroDevs. For more insights and security updates, keep following our blog.

Resources:

Angular Translate NPM Package: npmjs.com/package/angular-translate

GitHub Repository: github.com/angular-translate/angular-translate

Security Issue Report: github.com/angular-translate/angular-translate/issues/1418

Vulnerability Details
ID
CVE-2024-33665
PROJECT Affected
Angular Translate
Versions Affected
>=2.19.1
Published date
April 25, 2024
≈ Fix date
February 1, 2024
Severity
Medium
Category
Cross-Site Scripting