CVE-2024-33665 is a cross-site scripting (XSS) vulnerability identified in the angular-translate library, specifically affecting versions through 2.19.1. Angular-translate is a popular AngularJS module used for internationalization and localization by providing translation capabilities via keys and directives. The vulnerability occurs when a malicious actor crafts a specially designed translation key that is processed by the translate directive without proper sanitization or encoding, enabling injection of arbitrary JavaScript code into the client-side application. This results in a reflected or stored XSS attack vector, depending on how keys are managed and rendered. The vendor has clarified that there is no official documentation guaranteeing that translation keys are safe from XSS, which suggests that the library does not inherently sanitize keys before rendering. The CVSS 3.1 base score is 6.1, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction (e.g., victim clicking a link or visiting a malicious page). The scope is changed, indicating the vulnerability can affect components beyond the vulnerable library itself, potentially impacting the entire web application. The impact affects confidentiality and integrity by allowing execution of arbitrary scripts, which can lead to session hijacking, data theft, or manipulation of the user interface. Availability is not impacted. No patches or fixes have been released yet, and no known exploits have been reported in the wild. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).

This vulnerability poses a moderate risk to organizations using angular-translate for localization in their web applications. Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to theft of sensitive information such as authentication tokens, personal data, or manipulation of the user interface to perform fraudulent actions. Although it does not directly impact system availability, the compromise of confidentiality and integrity can have serious consequences, including reputational damage and regulatory non-compliance. Since angular-translate is widely used in many web applications globally, especially in enterprise and SaaS platforms, the scope of affected systems is broad. The requirement for user interaction limits automated exploitation but does not eliminate risk, as social engineering or phishing can be used to lure victims. The lack of patches increases exposure time, emphasizing the need for immediate mitigation. Organizations with high user interaction web portals, especially those handling sensitive data or financial transactions, are at greater risk.

To mitigate this vulnerability, organizations should first audit their use of angular-translate and identify where translation keys are sourced and rendered. Avoid using untrusted or user-controllable input as translation keys. Implement strict input validation and sanitization on any data that could influence translation keys. Employ output encoding or context-aware escaping mechanisms before rendering translation keys in the DOM to prevent script injection. Consider upgrading to a patched version once available or applying custom patches that sanitize keys. Use Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. Educate developers on secure coding practices related to internationalization libraries. Additionally, monitor web application logs for suspicious activities indicative of XSS exploitation attempts. If feasible, implement runtime application self-protection (RASP) or web application firewalls (WAF) with XSS detection rules to provide an additional layer of defense.