CVE-2021-21277

Sep 3, 2024

Published Date: 2021-02-01T15:15Z
Last Modified: 2022-10-19T19:06Z

CVSS Score: 8.8 (HIGH)

EPSS Score: 0.91%

Risk Score: 6.16 (HIGH)

Risk Score based on CVSS score and EPSS. This score is for reference purposes and is not internationally recognized.

Meter Needle
CVSS: 8.8  |  EPSS: 0.91%

Description: angular-expressions is “angular’s nicest part extracted as a standalone module for the browser and node”. In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call “expressions.compile(userControlledInput)” where “userControlledInput” is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a “.constructor.constructor” technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.

Mitre ATT&CK Technical v15.1

T1059.007 – JavaScript
T1583.004 – Server
T1584.004 – Server
T1053.002 – At

Technical Analysis & Mitigation Measures

Reference Links

Vendor - Produce - Version

angular-expressions - peerigon

Disclaimer

The content on this website is automatically sourced from external websites such as the National Vulnerability Database (NVD), GitHub, and other security-related sources. This content is for reference purposes only, and we are not responsible for the accuracy or integrity of the information linked or displayed from these sources.