{"id":"CVE-2024-8372","summary":"AngularJS improper sanitization in 'srcset' attribute","details":"Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of  Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see  here https://docs.angularjs.org/misc/version-support-status .","aliases":["GHSA-m9gf-397r-hwpg"],"modified":"2026-05-18T05:56:12.718811644Z","published":"2024-09-09T14:46:03.134Z","related":["CGA-cc4c-82g7-752p"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8372.json","cna_assigner":"HeroDevs","cwe_ids":["CWE-1289"]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"},{"type":"WEB","url":"https://registry.npmjs.org"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8372.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8372"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20241122-0002/"},{"type":"ADVISORY","url":"https://www.herodevs.com/vulnerability-directory/cve-2024-8372"},{"type":"PACKAGE","url":"https://github.com/angular/angular.js"},{"type":"EVIDENCE","url":"https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/angular/angular.js","events":[{"introduced":"ed6e91b31824b57a084b33b4fc7f869c8d5909be"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8372.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}]}