CVE-2024-8372: 
AngularJS vulnerability analysis and mitigation

Improper sanitization of the value of the '[srcset]' attribute in AngularJS allows attackers to bypass common image source restrictions, which can lead to Content Spoofing. This vulnerability (CVE-2024-8372) affects AngularJS versions 1.3.0-rc.4 and greater. The AngularJS project is End-of-Life and will not receive any updates to address this issue (NVD, HeroDevs).

The vulnerability exists in the ngSrcset, ngAttrSrcset, and ngPropSrcset directives' logic used to sanitize image source URLs. The flaw allows bypassing restrictions set by common patterns, such as only allowing images from a specific domain. With specially-crafted input, the sanitization can be bypassed, enabling images from arbitrary domains to be displayed. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (HeroDevs, NVD).

Successful exploitation of this vulnerability could lead to content spoofing attacks, where an attacker can supply content to a web application that is reflected back to the user under the context of the trusted domain. This could potentially be used to display unauthorized images from arbitrary domains, bypassing intended security restrictions (HeroDevs).

Since AngularJS is End-of-Life, no official patches will be released to address this vulnerability. Users are advised to either migrate affected applications away from AngularJS or leverage a commercial support partner for post-EOL security support (HeroDevs).

NetApp has acknowledged the vulnerability and identified several of their products as affected, including Active IQ Unified Manager for Linux, Windows, and VMware vSphere. They are actively investigating additional products and maintaining an advisory to keep customers informed of the situation (NetApp).