CVE-2020-5219 HIGH

CVE-2020-5219: Remote Code Execution in Angular Expressions

Vendor Peerigon
Product angular-expressions
Weakness CWE-74
Published January 24, 2020
Last update August 4, 2024

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Angular Expressions before version 1.0.1 has a remote code execution vulnerability if you call expressions.compile(userControlledInput) where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution.

Key dates

02Disclosure timeline

January 24, 2020 CVE published
August 4, 2024 Record updated