SYM_JSTS_0165 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Allowlisting resource URLs with wildcards (like '**') in Angular's $sceDelegateProvider can let the app load scripts or resources from any domain, including untrusted ones. This bypasses Angular's security controls and increases the risk of malicious content being loaded.
Impact
If exploited, attackers could inject and execute malicious scripts from external sources, leading to cross-site scripting (XSS) attacks. This can compromise user data, steal authentication tokens, or allow attackers to perform actions on behalf of users, putting both users and the organization at risk.