CVE-2020-7676
Cross Site Scripting vulnerability in angular (npm)
What is CVE-2020-7676 About?
This Cross Site Scripting (XSS) vulnerability in Angular.js allows an attacker to bypass sanitization by wrapping `<option>` elements in `<select>` ones. This changes HTML parsing behavior, enabling injection of unsanitized code into the DOM. Exploitation is possible if an attacker can control user-supplied HTML content that is rendered by a vulnerable Angular.js application.
Affected Software
Technical Details
Angular.js versions prior to 1.8.0 are susceptible to a Cross-Site Scripting (XSS) vulnerability related to its sanitization mechanisms. The issue arises when the regex-based input HTML replacement, intended for sanitization, can be circumvented. Specifically, wrapping <option> elements within <select> elements can alter the HTML parsing behavior in such a way that previously sanitized or expectedly safe code becomes unsanitized. An attacker can craft malicious HTML containing JavaScript code within <option> tags, and then enclose these in <select> tags. When Angular.js processes this, the parsing context shift allows the embedded script to bypass the sanitization regex, leading to its execution in the user's browser.
What is the Impact of CVE-2020-7676?
Successful exploitation may allow attackers to execute arbitrary script code in the context of the user's browser, leading to session hijacking, data theft, or defacement.
What is the Exploitability of CVE-2020-7676?
Exploitation of this Cross Site Scripting vulnerability has a moderate complexity. An attacker needs to be able to inject specific crafted HTML content into a webpage rendered by a vulnerable Angular.js application. Prerequisites include allowing user-supplied HTML that is then dynamically rendered without sufficient sanitization. Authentication requirements depend on whether the content injection vector (e.g., comment section, profile editor) is accessible to unauthenticated users. Privilege requirements are typically low, as the attack targets the client-side browser. This is primarily a remote exploitation scenario, where a malicious user provides input to a web application. The risk is heightened in web applications that embed or reflect user-controlled HTML content, especially in older Angular.js deployments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7676?
About the Fix from Resolved Security
Available Upgrade Options
- angular
- <1.8.0 → Upgrade to 1.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E
- https://github.com/angular/angular.js/pull/17028%2C
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-7676?
Similar Vulnerabilities: CVE-2021-23386 , CVE-2021-3640 , CVE-2020-7763 , CVE-2020-7704 , CVE-2016-10557
