{"id":47519,"date":"2026-03-18T14:12:10","date_gmt":"2026-03-18T07:12:10","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47519"},"modified":"2026-03-18T14:13:18","modified_gmt":"2026-03-18T07:13:18","slug":"angular-dinh-lo-hong-nguy-hiem-hang-loat-ung-dung-web-co-the-bi-khai-thac","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/angular-dinh-lo-hong-nguy-hiem-hang-loat-ung-dung-web-co-the-bi-khai-thac\/","title":{"rendered":"Angular d\u00ednh l\u1ed7 h\u1ed5ng nguy hi\u1ec3m, h\u00e0ng lo\u1ea1t \u1ee9ng d\u1ee5ng web c\u00f3 th\u1ec3 b\u1ecb khai th\u00e1c"},"content":{"rendered":"<div>\n<p><b>M\u1ed9t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong framework Angular \u0111ang khi\u1ebfn c\u1ed9ng \u0111\u1ed3ng ph\u00e1t tri\u1ec3n web v\u00e0 gi\u1edbi an ninh m\u1ea1ng \u0111\u1eb7c bi\u1ec7t lo ng\u1ea1i. L\u1ed7 h\u1ed5ng c\u00f3 m\u00e3 \u0111\u1ecbnh danh l\u00e0 CVE-2026-32635, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u00e8n v\u00e0 th\u1ef1c thi m\u00e3 \u0111\u1ed9c ngay tr\u00ean tr\u00ecnh duy\u1ec7t ng\u01b0\u1eddi d\u00f9ng, bi\u1ebfn nh\u1eefng t\u00ednh n\u0103ng quen thu\u1ed9c th\u00e0nh \u0111i\u1ec3m x\u00e2m nh\u1eadp nguy hi\u1ec3m. \u0110i\u1ec1u \u0111\u00e1ng lo ng\u1ea1i l\u00e0 l\u1ed7 h\u1ed5ng n\u00e0y c\u00f3 th\u1ec3 b\u1ecb khai th\u00e1c kh\u00e1 d\u1ec5 d\u00e0ng trong c\u00e1c \u1ee9ng d\u1ee5ng s\u1eed d\u1ee5ng d\u1eef li\u1ec7u \u0111\u1ed9ng, khi\u1ebfn r\u1ee7i ro lan r\u1ed9ng trong m\u00f4i tr\u01b0\u1eddng th\u1ef1c t\u1ebf.<\/b><\/p>\n<\/div>\n<div>\n<div class=\"bbImageWrapper js-lbImage\" title=\"Angular.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/angular-png.18651\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img loading=\"lazy\" decoding=\"async\" class=\"bbImage\" title=\"Angular.png\" src=\"https:\/\/whitehat.vn\/attachments\/angular-png.18651\/\" alt=\"Angular.png\" width=\"700\" height=\"390\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<p>\u200bTheo th\u00f4ng tin t\u1eeb GitHub Security Advisory, CVE-2026-32635 \u1ea3nh h\u01b0\u1edfng tr\u1ef1c ti\u1ebfp t\u1edbi c\u00e1c th\u00e0nh ph\u1ea7n c\u1ed1t l\u00f5i c\u1ee7a Angular bao g\u1ed3m @angular\/core v\u00e0 @angular\/compiler. Ph\u1ea1m vi \u1ea3nh h\u01b0\u1edfng tr\u1ea3i d\u00e0i t\u1eeb c\u00e1c phi\u00ean b\u1ea3n 17 cho t\u1edbi c\u00e1c b\u1ea3n d\u1ef1ng th\u1eed nghi\u1ec7m c\u1ee7a phi\u00ean b\u1ea3n 22. V\u1edbi vi\u1ec7c Angular \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i trong c\u1ea3 h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p l\u1eabn \u1ee9ng d\u1ee5ng h\u01b0\u1edbng ng\u01b0\u1eddi d\u00f9ng, b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng b\u1ecb m\u1edf r\u1ed9ng \u0111\u00e1ng k\u1ec3, t\u1ea1o \u0111i\u1ec1u ki\u1ec7n thu\u1eadn l\u1ee3i cho c\u00e1c k\u1ecbch b\u1ea3n khai th\u00e1c th\u1ef1c t\u1ebf.<br \/>\nV\u1ea5n \u0111\u1ec1 ph\u00e1t sinh do c\u01a1 ch\u1ebf ki\u1ec3m tra an to\u00e0n b\u1ecb b\u1ecf qua khi s\u1eed d\u1ee5ng \u0111\u1ed3ng th\u1eddi thu\u1ed9c t\u00ednh qu\u1ed1c t\u1ebf h\u00f3a v\u00e0 c\u00e1c thu\u1ed9c t\u00ednh HTML nh\u1ea1y c\u1ea3m. Trong \u0111i\u1ec1u ki\u1ec7n b\u00ecnh th\u01b0\u1eddng, Angular s\u1ebd t\u1ef1 \u0111\u1ed9ng l\u00e0m s\u1ea1ch d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c g\u00e1n v\u00e0o c\u00e1c thu\u1ed9c t\u00ednh nh\u01b0 href, src hay formaction nh\u1eb1m ng\u0103n ch\u1eb7n ch\u00e8n m\u00e3 \u0111\u1ed9c. Tuy nhi\u00ean, khi l\u1eadp tr\u00ecnh vi\u00ean b\u1ed5 sung c\u00e1c thu\u1ed9c t\u00ednh d\u1ea1ng i18n \u0111\u1ec3 ph\u1ee5c v\u1ee5 \u0111a ng\u00f4n ng\u1eef, c\u01a1 ch\u1ebf n\u00e0y l\u1ea1i kh\u00f4ng \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t nh\u01b0 k\u1ef3 v\u1ecdng.<br \/>\n\u0110i\u1ec1u n\u00e0y d\u1eabn t\u1edbi m\u1ed9t k\u1ecbch b\u1ea3n nguy hi\u1ec3m khi d\u1eef li\u1ec7u kh\u00f4ng \u0111\u00e1ng tin c\u1eady \u0111\u01b0\u1ee3c g\u00e1n tr\u1ef1c ti\u1ebfp v\u00e0o c\u00e1c thu\u1ed9c t\u00ednh nh\u1ea1y c\u1ea3m. N\u1ebfu gi\u00e1 tr\u1ecb n\u00e0y \u0111\u1ebfn t\u1eeb tham s\u1ed1 URL ho\u1eb7c ph\u1ea3n h\u1ed3i API, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u00e8n c\u00e1c payload d\u1ea1ng JavaScript URL v\u00e0 k\u00edch ho\u1ea1t th\u1ef1c thi m\u00e3 ngay tr\u00ean tr\u00ecnh duy\u1ec7t c\u1ee7a n\u1ea1n nh\u00e2n. C\u00e1c thu\u1ed9c t\u00ednh b\u1ecb \u1ea3nh h\u01b0\u1edfng kh\u00f4ng ch\u1ec9 gi\u1edbi h\u1ea1n \u1edf href hay src m\u00e0 c\u00f2n bao g\u1ed3m action, formaction, data, background, poster, longdesc, cite, codebase, itemtype v\u00e0 xlink:href. \u0110\u00e2y \u0111\u1ec1u l\u00e0 nh\u1eefng th\u00e0nh ph\u1ea7n ph\u1ed5 bi\u1ebfn trong c\u00e1c \u1ee9ng d\u1ee5ng web hi\u1ec7n \u0111\u1ea1i, khi\u1ebfn m\u1ee9c \u0111\u1ed9 r\u1ee7i ro trong m\u00f4i tr\u01b0\u1eddng th\u1ef1c t\u1ebf tr\u1edf n\u00ean \u0111\u00e1ng k\u1ec3.<br \/>\nKhi khai th\u00e1c th\u00e0nh c\u00f4ng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 th\u1ef1c thi m\u00e3 JavaScript t\u00f9y \u00fd ngay trong phi\u00ean l\u00e0m vi\u1ec7c c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. T\u1eeb \u0111\u00f3, ch\u00fang c\u00f3 th\u1ec3 \u0111\u00e1nh c\u1eafp cookie \u0111\u1ec3 chi\u1ebfm quy\u1ec1n \u0111\u0103ng nh\u1eadp, l\u1ea5y d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m t\u1eeb bi\u1ec3u m\u1eabu ho\u1eb7c n\u1ed9i dung tr\u00ean trang, th\u1eadm ch\u00ed th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh \u0111\u1ed9ng tr\u00e1i ph\u00e9p d\u01b0\u1edbi danh ngh\u0129a ng\u01b0\u1eddi d\u00f9ng. \u0110\u00e1ng ch\u00fa \u00fd, vi\u1ec7c khai th\u00e1c kh\u00f4ng \u0111\u00f2i h\u1ecfi quy\u1ec1n truy c\u1eadp cao v\u00e0 ch\u1ec9 c\u1ea7n r\u1ea5t \u00edt t\u01b0\u01a1ng t\u00e1c, n\u00ean \u0111\u01b0\u1ee3c x\u1ebfp v\u00e0o nh\u00f3m l\u1ed7 h\u1ed5ng c\u00f3 m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng cao theo thang \u0111i\u1ec3m CVSS phi\u00ean b\u1ea3n 4. V\u1edbi \u0111\u1eb7c \u0111i\u1ec3m n\u00e0y, CVE-2026-32635 \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7 h\u1ed5ng \u0111\u00e1ng ch\u00fa \u00fd trong h\u1ec7 sinh th\u00e1i Angular th\u1eddi gian g\u1ea7n \u0111\u00e2y.<br \/>\nC\u00e1c phi\u00ean b\u1ea3n Angular b\u1ecb \u1ea3nh h\u01b0\u1edfng bao g\u1ed3m d\u1ea3i t\u1eeb 17.0.0-next.0 t\u1edbi 18.2.14, c\u00e1c b\u1ea3n 19 tr\u01b0\u1edbc 19.2.20, b\u1ea3n 20 tr\u01b0\u1edbc 20.3.18, b\u1ea3n 21 tr\u01b0\u1edbc 21.2.4 v\u00e0 c\u00e1c b\u1ea3n d\u1ef1ng th\u1eed nghi\u1ec7m c\u1ee7a phi\u00ean b\u1ea3n 22 tr\u01b0\u1edbc next.3. L\u1ed7 h\u1ed5ng \u0111\u00e3 \u0111\u01b0\u1ee3c kh\u1eafc ph\u1ee5c trong c\u00e1c phi\u00ean b\u1ea3n 19.2.20, 20.3.18, 21.2.4 v\u00e0 22.0.0-next.3. Tuy nhi\u00ean, \u0111\u00e1ng lo ng\u1ea1i l\u00e0 c\u00e1c nh\u00e1nh 17 v\u00e0 18 hi\u1ec7n ch\u01b0a c\u00f3 b\u1ea3n v\u00e1 ch\u00ednh th\u1ee9c, khi\u1ebfn nhi\u1ec1u h\u1ec7 th\u1ed1ng v\u1eabn \u0111\u1ee9ng tr\u01b0\u1edbc nguy c\u01a1 b\u1ecb khai th\u00e1c.<br \/>\nC\u00e1c chuy\u00ean gia khuy\u1ebfn ngh\u1ecb c\u00e1c t\u1ed5 ch\u1ee9c c\u1ea7n \u01b0u ti\u00ean c\u1eadp nh\u1eadt l\u00ean c\u00e1c phi\u00ean b\u1ea3n \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1 trong th\u1eddi gian s\u1edbm nh\u1ea5t. Trong tr\u01b0\u1eddng h\u1ee3p ch\u01b0a th\u1ec3 n\u00e2ng c\u1ea5p, c\u1ea7n h\u1ea1n ch\u1ebf t\u1ed1i \u0111a vi\u1ec7c g\u00e1n d\u1eef li\u1ec7u kh\u00f4ng \u0111\u00e1ng tin c\u1eady v\u00e0o c\u00e1c thu\u1ed9c t\u00ednh nh\u1ea1y c\u1ea3m, \u0111\u1ed3ng th\u1eddi tr\u00e1nh k\u1ebft h\u1ee3p thu\u1ed9c t\u00ednh i18n v\u1edbi c\u00e1c binding \u0111\u1ed9ng \u1edf nh\u1eefng v\u1ecb tr\u00ed c\u00f3 r\u1ee7i ro cao. Vi\u1ec7c s\u1eed d\u1ee5ng DomSanitizer \u0111\u1ec3 ki\u1ec3m so\u00e1t v\u00e0 l\u00e0m s\u1ea1ch d\u1eef li\u1ec7u tr\u01b0\u1edbc khi hi\u1ec3n th\u1ecb c\u0169ng \u0111\u01b0\u1ee3c xem l\u00e0 bi\u1ec7n ph\u00e1p gi\u1ea3m thi\u1ec3u c\u1ea7n thi\u1ebft.<br \/>\nS\u1ef1 c\u1ed1 l\u1ea7n n\u00e0y cho th\u1ea5y m\u1ed9t kho\u1ea3ng tr\u1ed1ng \u0111\u00e1ng ch\u00fa \u00fd gi\u1eefa c\u00e1c c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt \u1edf c\u1ea5p framework v\u00e0 c\u00e1ch c\u00e1c t\u00ednh n\u0103ng n\u00e2ng cao nh\u01b0 qu\u1ed1c t\u1ebf h\u00f3a \u0111\u01b0\u1ee3c tri\u1ec3n khai trong th\u1ef1c t\u1ebf. Nh\u1eefng \u0111\u1ea3m b\u1ea3o an to\u00e0n v\u1ed1n \u0111\u01b0\u1ee3c tin c\u1eady c\u00f3 th\u1ec3 b\u1ecb ph\u00e1 v\u1ee1 trong c\u00e1c t\u00ecnh hu\u1ed1ng \u0111\u1eb7c th\u00f9, \u0111\u1eb7c bi\u1ec7t khi nhi\u1ec1u c\u01a1 ch\u1ebf c\u00f9ng t\u01b0\u01a1ng t\u00e1c v\u1edbi nhau. \u0110\u00e2y l\u00e0 l\u1eddi c\u1ea3nh b\u00e1o r\u00f5 r\u00e0ng cho c\u00e1c \u0111\u1ed9i ng\u0169 ph\u00e1t tri\u1ec3n v\u00e0 an ninh r\u1eb1ng vi\u1ec7c ki\u1ec3m tra m\u00e3 ngu\u1ed3n ph\u00eda frontend c\u1ea7n \u0111i s\u00e2u h\u01a1n v\u00e0o c\u00e1c h\u00e0nh vi \u0111\u1eb7c th\u00f9 thay v\u00ec ch\u1ec9 d\u1ef1a v\u00e0o c\u00e1c \u0111\u1ea3m b\u1ea3o m\u1eb7c \u0111\u1ecbnh c\u1ee7a framework.<br \/>\n\u200b<\/p>\n<\/div>\n<div style=\"text-align: right;\"><b><i>Theo Cyber Press<\/i><\/b><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng v\u1eeba \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong framework Angular \u0111ang khi\u1ebfn c\u1ed9ng \u0111\u1ed3ng ph\u00e1t tri\u1ec3n web v\u00e0 gi\u1edbi an ninh m\u1ea1ng \u0111\u1eb7c bi\u1ec7t lo ng\u1ea1i. L\u1ed7 h\u1ed5ng c\u00f3 m\u00e3 \u0111\u1ecbnh danh l\u00e0 CVE-2026-32635, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u00e8n v\u00e0 th\u1ef1c thi m\u00e3 \u0111\u1ed9c ngay tr\u00ean tr\u00ecnh duy\u1ec7t ng\u01b0\u1eddi d\u00f9ng, bi\u1ebfn nh\u1eefng [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":47520,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-47519","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47519"}],"version-history":[{"count":2,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47519\/revisions"}],"predecessor-version":[{"id":47522,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47519\/revisions\/47522"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47520"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}