Bug 1763589 (CVE-2019-14863) - CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
Summary: CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitizat...
Alias: CVE-2019-14863
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1762305
TreeView+ depends on / blocked
Reported: 2019-10-21 07:03 UTC by Marian Rehak
Modified: 2023-11-23 09:53 UTC (History)
15 users (show)

Fixed In Version: angular 1.5.0-beta.0
Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) flaw was found in Angular. This flaw occurs due to improper sanitation of xlink:href attributes, which allows the web application to deliver data to users, along with other trusted content, without proper validation.
Clone Of:
Last Closed: 2019-12-03 19:04:51 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4069 0 None None None 2019-12-03 15:00:22 UTC
Red Hat Product Errata RHSA-2019:4071 0 None None None 2019-12-03 15:13:58 UTC

Description Marian Rehak 2019-10-21 07:03:23 UTC
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it.

Comment 2 Marian Rehak 2019-10-21 07:28:26 UTC
External References:


Comment 5 errata-xmlrpc 2019-12-03 14:58:43 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2019:4069 https://access.redhat.com/errata/RHSA-2019:4069

Comment 6 errata-xmlrpc 2019-12-03 15:13:57 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2019:4071 https://access.redhat.com/errata/RHSA-2019:4071

Comment 7 Product Security DevOps Team 2019-12-03 19:04:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 8 Orion 2023-11-23 09:53:46 UTC
Hey there. I feel your pain with the Rhel node issue. It's frustrating when things go south, especially with the intricate dance of enabling FIPS on a Rhel VM. I've run into similar hurdles, and it can be a head-scratcher.

Now, about your hiccup, it seems like the FIPS integrity test is throwing a curveball during the Rhel node startup. Given your steps, it might be worthwhile to double-check the FIPS configuration and ensure it aligns seamlessly with the OCP installation. Sometimes, these finicky issues boil down to the order of operations.

Consider revisiting the FIOS setup on the Rhel VM, ensuring a snug fit with the public image. I'd recommend exploring any specific quirks tied to that AWS image (ami-0e166e72fda655c63). Also, a quick dive into the AWS community forums might unveil experiences from fellow adventurers. I would suggest starting here: https://andersenlab.com/find-developers/angular

Hang in there... Bugs can be elusive, but so is your determination.

Note You need to log in before you can comment on or make changes to this bug.