Bug 1763589 (CVE-2019-14863) - CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
Summary: CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitizat...
Alias: CVE-2019-14863
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1762305
TreeView+ depends on / blocked
Reported: 2019-10-21 07:03 UTC by Marian Rehak
Modified: 2021-02-16 21:13 UTC (History)
14 users (show)

Fixed In Version: angular 1.5.0-beta.0
Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) flaw was found in Angular. This flaw occurs due to improper sanitation of xlink:href attributes, which allows the web application to deliver data to users, along with other trusted content, without proper validation.
Clone Of:
Last Closed: 2019-12-03 19:04:51 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4069 0 None None None 2019-12-03 15:00:22 UTC
Red Hat Product Errata RHSA-2019:4071 0 None None None 2019-12-03 15:13:58 UTC

Description Marian Rehak 2019-10-21 07:03:23 UTC
This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it.

Comment 2 Marian Rehak 2019-10-21 07:28:26 UTC
External References:


Comment 5 errata-xmlrpc 2019-12-03 14:58:43 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2019:4069 https://access.redhat.com/errata/RHSA-2019:4069

Comment 6 errata-xmlrpc 2019-12-03 15:13:57 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2019:4071 https://access.redhat.com/errata/RHSA-2019:4071

Comment 7 Product Security DevOps Team 2019-12-03 19:04:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.