Clickjacking

Affecting org.webjars.bower:angular artifact, versions [1.3.1,1.5.0-beta.0)

Do your applications use this vulnerable package? Test your applications

Overview

org.webjars.bower:angular is a bower WebJar for angular.

Affected versions of this package are vulnerable to Clickjacking By enabling the SVG setting without taking other precautions, you might expose your application to click-hijacking attacks. In these attacks, sanitized SVG elements could be positioned outside of the containing element and be rendered over other elements on the page (e.g. a login link). Such behavior can then result in phishing incidents.

To protect against these, explicitly setup overflow: hidden css rule for all potential SVG tags within the sanitized content:

.rootOfTheIncludedContent svg {
  overflow: hidden !important;
}

Remediation

Upgrade org.webjars.bower:angular to version 1.5.0-beta.0 or higher.

References

CVSS Score

6.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Credit
Igor Minar
CWE
CWE-693
Snyk ID
SNYK-JAVA-ORGWEBJARSBOWER-479414
Disclosed
06 Aug, 2015
Published
23 Jan, 2017