CVE-2019-14863
Cross-Site Scripting (XSS) vulnerability in angular
What is CVE-2019-14863 About?
Versions of `angular` prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting (XSS) due to a failure to sanitize `xlink:href` attributes. This allows attackers to execute arbitrary JavaScript in a victim's browser, leading to session hijacking, data theft, or defacement. Exploitation is relatively easy if user-controlled input populates `xlink:href` within SVG/XML.
Affected Software
Technical Details
The XSS vulnerability in `angular` versions before 1.5.0-beta.1 specifically arises from insufficient sanitization of the `xlink:href` attribute within SVG or XML contexts. When user-controlled data is inserted into this attribute without proper escaping or validation, an attacker can inject malicious JavaScript code. For example, by using `javascript:` pseudo-protocol URLs within `xlink:href`, the attacker can cause the browser to execute their script when the affected element (e.g., `<use xlink:href='javascript:alert(1)'></use>`) is rendered. This bypasses client-side security mechanisms and executes the script in the context of the vulnerable web application.
What is the Impact of CVE-2019-14863?
Successful exploitation may allow attackers to execute arbitrary client-side script code in the victim's browser, leading to session hijacking, defacement of the website, or sensitive data theft.
What is the Exploitability of CVE-2019-14863?
Exploitation of this XSS vulnerability is of low complexity. No authentication is required for a user to be affected if they visit a page serving the malicious content. No special privileges are needed. The attack is client-side and typically requires remote interaction, where an attacker crafts a malicious link or injects payload into a website. The main prerequisite is that the web application uses a vulnerable version of `angular` and incorporates unsanitized, user-controlled input into elements that utilize `xlink:href` attributes. The likelihood of exploitation increases if the application commonly displays or processes user-generated content without robust sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-14863?
Available Upgrade Options
- angular
- <1.5.0-beta.1 → Upgrade to 1.5.0-beta.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2019-14863
- https://github.com/angular/angular.js/commit/f33ce173c90736e349cf594df717ae3ee41e0f7a
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863
- https://snyk.io/vuln/npm:angular:20150807
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863
- https://github.com/angular/angular.js/commit/35a21532b73d5bd84b4325211c563e6a3e2dde82
- https://github.com/angular/angular.js/pull/12524
- https://github.com/angular/angular.js
- https://osv.dev/vulnerability/GHSA-r5fx-8r73-v86c
- https://www.npmjs.com/advisories/1453
What are Similar Vulnerabilities to CVE-2019-14863?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-38502 , CVE-2023-36655 , CVE-2023-34035 , CVE-2023-32692
