Defender Management Portal and ISAPI portal AngularJS vulnerability CVE-2024-8373 (4380912)

CVE-2024-8373 affects legacy AngularJS versions (1.x) due to improper sanitization of the srcset attribute, which may lead to a potential Content Spoofing issue. Our application currently uses AngularJS 1.2.6, which falls within the affected range.

CVE-2024-8373 is non-exploitable in Defender.

The identified vulnerability is effectively mitigated in our environment through multiple existing security controls. Specifically, our portal enforces a strict Content Security Policy (CSP) header with nonce-based script whitelisting, which prevents the execution of any inline or injected scripts that lack a valid server-generated nonce. This provides robust protection against XSS, including potential sanitizer bypasses like CVE-2024-8373.

Additionally, the application utilizes standard anti-forgery mechanisms and secure coding practices, further reducing the attack surface for client-side script injection.

For long-term security hardening, an upgrade from AngularJS 1.2.6 to the latest Angular (2+) framework is already planned and tracked as Defect # 427553. This upgrade will eliminate legacy AngularJS dependencies entirely and align the application with modern Angular’s built-in security model and active support lifecycle.