Vulnerability in Peerigon Angular-expressions
CVE-2020-5219
Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the bro…
EPSS: 0.006 (70.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.7 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N.
Affected products
- Peerigon Angular-expressions — versions < 1.0.1
Weakness classification (CWE)
References
- github.com/peerigon/angular-expressions/security/advisories/GHSA-hxhm-96pp-2m43 (x_refsource_CONFIRM)
- github.com/peerigon/angular-expressions/commit/061addfb9a9e932a970e5fcb913d0200… (x_refsource_MISC)
- blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-5219?
- CVE-2020-5219 is a high-severity vulnerability in Peerigon Angular-expressions, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 8.7/10. Published 2020-01-24.
- How severe is CVE-2020-5219?
- High severity. CVSS v3 base score is 8.7 out of 10.