CVE-2024-33665 in angular-translate
Summary
by MITRE • 04/26/2024
angular-translate through 2.19.1 allows XSS via a crafted key that is used by the translate directive. NOTE: the vendor indicates that there is no documentation indicating that a key is supposed to be safe against XSS attacks.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/03/2025
The vulnerability CVE-2024-33665 affects the angular-translate library version 2.19.1 and earlier, presenting a cross-site scripting vulnerability that arises from improper handling of crafted translation keys within the translate directive. This issue stems from the library's failure to adequately sanitize input parameters that are used as translation keys, creating a potential attack vector where malicious actors could inject harmful scripts through carefully constructed key values. The vulnerability is particularly concerning because it operates at the translation layer of the application, where user input or dynamic content might be processed through the translation system.
The technical flaw manifests when the translate directive processes a translation key that contains malicious script content, which then gets rendered into the web application without proper sanitization. This behavior aligns with CWE-79, which describes cross-site scripting vulnerabilities where untrusted data is improperly integrated into web pages with executable content. The vulnerability operates at the application logic level rather than the network protocol level, making it a classic example of insecure input handling that can lead to arbitrary code execution within the user's browser context. The attack requires that the malicious key be processed by the translate directive and subsequently rendered in the application's UI, which typically occurs when translation keys are populated with user-supplied data or dynamic content.
The operational impact of this vulnerability extends beyond simple script injection, as it can potentially enable attackers to steal user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users. In applications that utilize dynamic translation keys or allow user-generated content to influence translation parameters, this vulnerability could be exploited to compromise user data and application integrity. The risk is particularly elevated in web applications that handle sensitive information or operate in environments where users might have the ability to influence translation content through forms or other input mechanisms. The vulnerability's exploitation is limited by the need for the malicious key to be processed through the translate directive, but this requirement does not prevent the potential for widespread impact across applications using the affected library.
Organizations should implement immediate mitigation strategies including updating to the latest version of angular-translate where the vulnerability has been addressed, or applying custom sanitization measures to all translation keys before they are processed by the translate directive. Security teams should also review application code to identify any instances where user input directly influences translation keys, implementing proper input validation and sanitization routines. The fix typically involves ensuring that all translation keys are properly escaped or sanitized before being passed to the translate directive, aligning with ATT&CK technique T1213 which addresses data from information repositories. Additionally, developers should consider implementing Content Security Policy headers as an additional defense-in-depth measure to limit the potential impact of successful XSS attacks. Organizations utilizing this library should conduct comprehensive security assessments of their translation systems and review all user-facing content that might be processed through the translation framework to identify potential attack vectors.