Remote Code Execution in Angular Expressions
CVE-2020-5219

8.7HIGH

Key Information:

Vendor: Peerigon
Status: Angular-expressions
Vendor: CVE Published:; 24 January 2020

What is CVE-2020-5219?

Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

Affected Version(s)

angular-expressions < 1.0.1

References

https://github.com/peerigon/angular-expressions/security/...

x_refsource_CONFIRM

https://github.com/peerigon/angular-expressions/commit/06...

x_refsource_MISC

http://blog.angularjs.org/2016/09/angular-16-expression-s...

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2020
Vulnerability Reserved
Jan 2, 2020

Credit

reported by GoSecure Inc

CVE-2020-5219 Data

JSON

Peerigon

What is CVE-2020-5219?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit