CVE-2023-34840

Overview

Angular-ui-notification versions 0.1.0, 0.2.0, and 0.3.6 contain a cross-site scripting (XSS) vulnerability. The library does not sanitize user input when constructing notification messages, allowing arbitrary HTML and script injection [1][3].

Exploitation

Any user-controlled data passed to the message parameter of the notification service is rendered directly in the DOM without encoding. An attacker can supply a payload such as ` that executes in the context of the application [3]. The vulnerability is triggered whenever an application uses Notification, Notification.success`, or similar methods with unsanitized input [2][3].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft, or other client-side attacks [1][3].

Mitigation

The project appears unmaintained. Users are advised to either sanitize input themselves before calling the notification methods or switch to an alternative maintained library [3].