Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7ABBC2216D89EE5076D0AB79D6300D3A5AE89E3041479BE2F8B35ABF99235A12
HistoryAug 16, 2021 - 3:43 p.m.

Security Bulletin: Multiple vulnerabilities in AngularJS

2021-08-1615:43:07
www.ibm.com
16
ibm security bulletin
angularjs
cross-site scripting
prototype pollution
denial of service
security restrictions

EPSS

0.002

Percentile

51.9%

JSON

Summary

IBM has addressed the applicable CVEs

Vulnerability Details

CVEID:CVE-2020-7676
**DESCRIPTION:**angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183379 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-14863
**DESCRIPTION:**Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173893 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-10768
**DESCRIPTION:**AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172185 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**Third Party Entry:**172544
**DESCRIPTION:**AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the document.implementation.createHTMLDocument(). A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172544 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

**Third Party Entry:**172550
**DESCRIPTION:**AngularJS is vulnerable to a denial of service, caused by the failure of the $sanitize sanitizer to traverse the HTML when one or more of the elements in the HTML have been "clobbered". A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172550 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**Third Party Entry:**172543
**DESCRIPTION:**AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the $http function. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172543 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway V10 CD 10.0.2.0
IBM DataPower Gateway 10.0.1 10.0.1.0-10.0.1.4
IBM DataPower Gateway 2018.4.1.0-2018.4.1.16

Remediation/Fixes

Affected Product
| Fixed in version
| APAR

—|—|—
IBM DataPower Gateway V10 CD
| 10.0.3.0
| IT37933

IBM DataPower Gateway 10.0.1
| 10.0.1.4
| IT37933
IBM DataPower Gateway 2018.4.1
| 2018.4.1.17
| IT37933

Workarounds and Mitigations

None

Related

ibm 19
redhatcve 3
ubuntucve 3
cvelist 3
osv 7
cve 3
nodejs 1
nvd 3
github 3
prion 3
debian 1
openvas 1
nessus 7
debiancve 3
githubexploit 1
veracode 2
f5 1
redhat 13
ics 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in angular.js may affect IBM Business Automation Workflow ( CVE-2019-14863, CVE-2020-7676, CVE-2019-10768)
2023-06-05 19:42:57
Security Bulletin: IBM MQ Appliance is affected by multiple AngularJS vulnerabilities
2021-08-13 22:11:10
Security Bulletin: A cross-site scripting vulnerability in Angular.js affects IBM InfoSphere Information Server
2021-06-17 23:04:52
redhatcve
redhatcve
CVE-2019-14863
2019-10-21 13:21:25
CVE-2020-7676
2020-06-19 20:29:14
CVE-2019-10768
2020-03-13 14:10:49
ubuntucve
ubuntucve
CVE-2019-14863
2020-01-02 00:00:00
CVE-2020-7676
2020-06-08 00:00:00
CVE-2019-10768
2019-11-19 00:00:00
cvelist
cvelist
CVE-2019-14863
2020-01-02 14:20:50
CVE-2020-7676
2020-06-08 13:34:09
CVE-2019-10768
2019-11-19 20:07:49
osv
osv
angular.js - security update
2019-11-18 00:00:00
AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes
2020-02-14 23:08:49
CVE-2019-14863
2020-01-02 15:15:12
cve
cve
CVE-2019-14863
2020-01-02 15:15:12
CVE-2020-7676
2020-06-08 14:15:13
CVE-2019-10768
2019-11-19 21:15:11
nodejs
nodejs
Cross-Site Scripting
2020-01-10 20:46:03
nvd
nvd
CVE-2019-14863
2020-01-02 15:15:12
CVE-2020-7676
2020-06-08 14:15:13
CVE-2019-10768
2019-11-19 21:15:11
github
github
AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes
2020-02-14 23:08:49
Cross site scripting in Angular
2020-06-18 14:19:58
Prototype Pollution in angular
2019-11-20 15:29:43
prion
prion
Design/Logic Flaw
2020-01-02 15:15:00
Cross site scripting
2020-06-08 14:15:00
Code injection
2019-11-19 21:15:00
debian
debian
[SECURITY] [DLA 1995-1] angular.js security update
2019-11-18 07:14:29
openvas
openvas
Debian: Security Advisory (DLA-1995-1)
2019-11-26 00:00:00
nessus
nessus
Debian DLA-1995-1 : angular.js security update
2019-11-20 00:00:00
RHEL 8 : Red Hat OpenStack Platform 16.1.9 (python-XStatic-Angular) (RHSA-2022:8866)
2023-01-23 00:00:00
RHEL 9 : Red Hat OpenStack Platform 17.0 (python-XStatic-Angular) (RHSA-2023:0274)
2024-04-28 00:00:00
debiancve
debiancve
CVE-2019-14863
2020-01-02 15:15:12
CVE-2020-7676
2020-06-08 14:15:13
CVE-2019-10768
2019-11-19 21:15:11
githubexploit
githubexploit
Exploit for Cross-site Scripting in Angularjs Angular.Js
2020-12-01 09:45:48
veracode
veracode
Cross-site Scripting (XSS)
2020-06-09 02:33:32
Prototype Pollution
2019-11-20 02:00:52
f5
f5
K32412075: AngularJS XSS vulnerability CVE-2020-7676
2021-07-23 00:00:00
redhat
redhat
(RHSA-2021:0417) Moderate: Red Hat AMQ Broker 7.8.1 release and security update
2021-02-04 13:31:57
(RHSA-2022:8866) Moderate: Red Hat OpenStack Platform 16.1.9 (python-XStatic-Angular) security update
2022-12-07 20:09:54
(RHSA-2022:8849) Moderate: Red Hat OpenStack Platform 16.2.4 (python-XStatic-Angular) security update
2022-12-07 19:00:35
ics
ics
OSIsoft PI System (Update A)
2020-07-27 12:00:00

EPSS

0.002

Percentile

51.9%

JSON
Related for 7ABBC2216D89EE5076D0AB79D6300D3A5AE89E3041479BE2F8B35ABF99235A12
ibm19redhatcve3ubuntucve3cvelist3osv7cve3nodejs1nvd3github3prion3debian1openvas1nessus7debiancve3githubexploit1veracode2f51redhat13ics1