Arbitrary Code Execution Affecting angularjs.core package, versions [,1.3.0)
Attack Complexity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-DOTNET-ANGULARJSCORE-1579455
-
published
23 Jan 2017
-
disclosed
7 Jun 2014
-
credit
Jann Horn
How to fix?
Upgrade AngularJS.Core to version 1.3.0 or higher.
Overview
AngularJS.Core is an AngularJS.* package for other Angular modules within .NET.
Affected versions of this package are vulnerable to Arbitrary Code Execution. $parse allowed arbitrary code execution via Angular expressions under some very specific conditions. The only applications affected by these vulnerabilities are those that match all of the following conditions:
- Application mixes server-side and client-side templating
- The server-side templating contains XSS vulnerabilities
- The vulnerabilities in the server-side templating are being guarded by server-side XSS filters or on the client-side via CSP
- The server-side XSS vulnerabilities can be used to augment the client-side template processed by Angular
Applications not meeting all of the conditions are not vulnerable.