Browser-sync-ui version 0.5.10 introduces several updates compared to the previous stable version 0.5.9, impacting the development workflow for users of BrowserSync. While both versions maintain identical core dependencies like weinre, angular, immutable, angular-route, angular-touch, stream-throttle, angular-sanitize, async-each-series, and connect-history-api-fallback, the primary distinctions lie within the development dependencies, indicating improvements and refinements in the build and testing processes.
Notably, browser-sync sees an update from version 2.6.4 to 2.7.12, suggesting enhanced integration and compatibility with the core BrowserSync library. angular-mocks also receives an upgrade from 1.3.11 to 1.4.1, potentially providing improved testing capabilities for Angular-based components within the UI. Furthermore, request is updated from version 2.51.0 to 2.58.0, and sinon from 1.12.2 to 1.15.3.
These upgrades imply a focus on stability, bug fixes, and potentially new features within the browser-sync-ui development environment and potentially for the end consumers of BrowserSync. Developers upgrading to 0.5.10 should benefit from a more robust and feature-rich UI for managing BrowserSync instances, as well as refined workflows when developing for it. The later release date (June 18, 2015, vs. May 26, 2015) also implies more recent updates and potential resolutions to issues identified in the earlier version.
All the vulnerabilities related to the version 0.5.10 of the package
angular vulnerable to regular expression denial of service via the $resource service
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
angular vulnerable to regular expression denial of service via the angular.copy() utility
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
angular vulnerable to super-linear runtime due to backtracking
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service.
Note:
This package is EOL and will not receive any updates to address this issue. Users should migrate to @angular/core.
AngularJS improperly sanitizes SVG elements
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images.
This issue affects all versions of AngularJS.
Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
angular vulnerable to regular expression denial of service (ReDoS)
AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.
Note:
AngularJS allows attackers to bypass common image source restrictions
Improper sanitization of the value of the [srcset] attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
AngularJS allows attackers to bypass common image source restrictions
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Angular (deprecated package) Cross-site Scripting
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.
NPM package angular is deprecated. Those who want to receive security updates should use the actively maintained package @angular/core.
angular vulnerable to regular expression denial of service via the <input type="url"> element
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
AngularJS Incomplete Filtering of Special Elements vulnerability
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images.
This issue affects AngularJS versions greater than or equal to 1.3.1.
Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
