CVE-2020-5219
Summary
| CVE | CVE-2020-5219 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-01-24 16:15:00 UTC |
| Updated | 2020-01-31 20:50:00 UTC |
| Description | Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. |
Risk And Classification
Problem Types: CWE-74
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Peerigon | Angular-expressions | All | All | All | All |
| Application | Peerigon | Angular-expressions | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| AngularJS: Angular 1.6 - Expression Sandbox Removal | MISC | blog.angularjs.org | Vendor Advisory |
| Disallow access to prototype chain (CVE-2020-5219) · peerigon/angular-expressions@061addf · GitHub | MISC | github.com | Patch |
| Angular Expressions - Remote Code Execution · Advisory · peerigon/angular-expressions · GitHub | CONFIRM | github.com | Mitigation, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: reported by GoSecure Inc
Legacy QID Mappings
- 983110 Nodejs (npm) Security Update for angular-expressions (GHSA-hxhm-96pp-2m43)