CVE-2019-14863 (Medium) detected in angular-1.4.2.min.js
mend-bolt-for-github opened this issue · 0 comments
CVE-2019-14863 - Medium Severity Vulnerability
Vulnerable Library - angular-1.4.2.min.js
AngularJS is an MVC framework for building web applications. The core features include HTML enhanced with custom component and data-binding capabilities, dependency injection and strong focus on simplicity, testability, maintainability and boiler-plate reduction.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.2/angular.min.js
Path to dependency file: /tmp/ws-scm/VuePress-GithubPages-TravisCI/node_modules/autocomplete.js/examples/basic_angular.html
Path to vulnerable library: /VuePress-GithubPages-TravisCI/node_modules/autocomplete.js/examples/basic_angular.html,/VuePress-GithubPages-TravisCI/node_modules/autocomplete.js/test/playground_angular.html
Dependency Hierarchy:
- ❌ angular-1.4.2.min.js (Vulnerable Library)
Found in HEAD commit: 5ff4623a3079b85b394ebd8324e70ca5faaf9a58
Vulnerability Details
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Publish Date: 2020-01-02
URL: CVE-2019-14863
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: angular/angular.js#12524
Release Date: 2020-01-02
Fix Resolution: angular - v1.5.0-beta.1;org.webjars:angularjs:1.5.0-rc.0
Step up your Open Source Security Game with WhiteSource here