CVE-2019-14863
angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Hay una vulnerabilidad en todas las versiones de angular anteriores a la versión 1.5.0-beta.0, donde después de escapar del contexto de la aplicación web, la aplicación web entrega datos a sus usuarios junto con otro contenido dinámico seguro, sin comprobarlo.
A cross-site scripting (XSS) flaw was found in Angular. This flaw occurs due to improper sanitation of xlink:href attributes, which allows the web application to deliver data to users, along with other trusted content, without proper validation.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-08-10 CVE Reserved
- 2019-12-03 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://snyk.io/vuln/npm:angular:20150807 | 2020-01-09 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2019-14863 | 2019-12-03 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1763589 | 2019-12-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Angularjs Search vendor "Angularjs" | Angular.js Search vendor "Angularjs" for product "Angular.js" | >= 1.0.0 <= 1.4.14 Search vendor "Angularjs" for product "Angular.js" and version " >= 1.0.0 <= 1.4.14" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Decision Manager Search vendor "Redhat" for product "Decision Manager" | 7.0 Search vendor "Redhat" for product "Decision Manager" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Process Automation Search vendor "Redhat" for product "Process Automation" | 7.0 Search vendor "Redhat" for product "Process Automation" and version "7.0" | - |
Affected
| ||||||