CVE-2024-8373: 
AngularJS vulnerability analysis and mitigation

CVE-2024-8373 is a security vulnerability discovered in AngularJS affecting all versions of the framework. The vulnerability was disclosed on September 9, 2024, and involves improper sanitization of the [srcset] attribute in HTML elements. This vulnerability affects all versions of AngularJS, which is particularly concerning as the project is End-of-Life and will not receive official updates to address this issue (NVD, HeroDevs).

The vulnerability stems from a flaw in the sanitization process of the [srcset] attribute values in HTML elements. When setting a element's srcset attribute via the ngAttrSrcset directive or interpolation, the normal image source sanitization is bypassed. This bypass circumvents the image source restrictions that would typically be configured in the application. The vulnerability has received a CVSS v3.1 score of 4.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The successful exploitation of this vulnerability could lead to content spoofing attacks and bypass of common image source restrictions. According to OWASP, content spoofing (also known as content injection) allows an attacker to supply content to a web application that is reflected back to the user under the context of the trusted domain. This can potentially lead to the addition or modification of data presented to users (HeroDevs, NetApp).

Since AngularJS is End-of-Life, no official patches will be released to address this vulnerability. Organizations are advised to either migrate their applications away from AngularJS or seek commercial support partners for post-EOL security support. For those using Never-Ending Support (NES), patches are available in AngularJS NES v1.9.6 and v1.5.22 (HeroDevs).