CVE-2021-4231: Cross site scripting in Angular
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78833%
CWE
Published
5/27/2022
Updated
10/10/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@angular/core | npm | >= 11.1.0-next.0, <= 11.1.0-next.2 | 11.1.0-next.3 |
@angular/core | npm | >= 11.0.0, < 11.0.5 | 11.0.5 |
@angular/core | npm | < 10.2.5 | 10.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper escaping in comment text handling. The commit diff shows:
- A complete rewrite of the escaping logic in dom.ts, replacing the original END_COMMENT regex with COMMENT_DISALLOWED and COMMENT_DELIMITER patterns
- Test cases added/updated in security_spec.ts and dom_spec.ts demonstrating XSS via various comment closure patterns
- The CVE description explicitly mentions 'handling of comments' as the attack vector
- The patch changes focused on surrounding < and > with zero-width spaces to prevent comment boundary injection
- The original escapeCommentText function's limited replacement pattern left multiple XSS attack vectors unaddressed