Angular is HTML enhanced for web apps.
The sandbox (while not a security feature) is supposed to error on access to constructor properties. In its current state it is trivial to bypass.
The expected behavior is that the sandbox would throw an 'Assigning to constructor is disallowed' error.
WS-2016-0055 - High Severity Vulnerability
Vulnerable Library - angular-1.4.14.tgz
HTML enhanced for web apps
Library home page: https://registry.npmjs.org/angular/-/angular-1.4.14.tgz
Path to dependency file: /tvaultui/package.json
Path to vulnerable library: /tvaultui/node_modules/angular/package.json
Dependency Hierarchy: - angular-counter-0.2.1.tgz (Root Library) - :x: **angular-1.4.14.tgz** (Vulnerable Library)
Found in base branch: dev
Vulnerability Details
Angular is HTML enhanced for web apps. The sandbox (while not a security feature) is supposed to error on access to constructor properties. In its current state it is trivial to bypass. The expected behavior is that the sandbox would throw an 'Assigning to constructor is disallowed' error.
Publish Date: 2016-07-21
URL: WS-2016-0055
CVSS 3 Score Details (7.4)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2016-0055
Release Date: 2016-07-21
Fix Resolution: angular - 1.4.4,1.4.7,1.3.4,1.4.0-rc.2,1.3.10,1.4.0-beta.6,1.4.11,1.5.9,1.5.3,1.3.18,1.5.0-beta.0,1.4.0-beta.2,1.5.1,1.5.7,1.4.2;angular - v1.5.7-build.4837+sha.f58d4fb,v1.3.21-build.153+sha.a9ecde1,v1.4.7-build.4242+sha.4dd10fd,v1.4.9-build.1+sha.7882c1c,v1.3.18-build.129+sha.8bd59a5,v1.5.8-build.4886+sha.ff5f645,v1.3.10-build.17+sha.bf55d76,v1.5.1-build.4591+sha.75f23f0,v1.3.16-build.100+sha.d5c99ea