CVE-2020-5219

Опубликовано: 24 янв. 2020

Источник: nvd

CVSS3: 8.7

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

Ссылки

http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html
Vendor Advisory
https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667
Patch
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43
Mitigation
Third Party Advisory
http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html
Vendor Advisory
https://github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d020038e65667
Patch
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*

Версия до 1.0.1 (исключая)

EPSS

Процентиль: 70%

0.00633

Низкий

8.7 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-74

Связанные уязвимости

GHSA-hxhm-96pp-2m43

CVSS3: 8.7

github

около 6 лет назад

Remote Code Execution in Angular Expressions

EPSS

Процентиль: 70%

0.00633

Низкий

8.7 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-74