CVE-2019-14863
MEDIUM6.1EPSS 0.10%AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes
發布日:2020/2/14修改日:2026/4/28
描述
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
受影響套件(3)
- Debian/angular.jsfrom 0, < 1.5.3-2
- Debian/angular.jsfrom 0, < 1.2.26-1+deb8u1
- npm/angularfrom 0, < 1.5.0-beta.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-14863
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-14863
- PATCHhttps://github.com/angular/angular.js
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863
- WEBhttps://github.com/angular/angular.js/commit/35a21532b73d5bd84b4325211c563e6a3e2dde82
- WEBhttps://github.com/angular/angular.js/commit/f33ce173c90736e349cf594df717ae3ee41e0f7a
- WEBhttps://github.com/angular/angular.js/pull/12524
- WEBhttps://snyk.io/vuln/npm:angular:20150807
- WEBhttps://www.npmjs.com/advisories/1453