Miggo Logo
Miggo Vulnerability Database
CVE-2019-14863

CVE-2019-14863:
AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-14863
GHSA ID
GHSA-r5fx-8r73-v86c
EPSS Score
0.45324%
CWE
CWE-79
Published
2/14/2020
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
angularnpm< 1.5.0-beta.11.5.0-beta.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from AngularJS's $sanitize service using a custom regex-based HTML parser that couldn't properly handle SVG xlink:href attributes. The commit 35a2153 replaced this with a DOM-based parser, explicitly addressing namespace-aware attribute handling. The old regex (ATTR_REGEXP) and attribute processing logic in htmlParser/parseStartTag were the root cause, as evidenced by their removal in the patch and the CVE's focus on xlink:href sanitization gaps.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `*n*ul*r` prior to *.*.*-**t*.* *r* vuln*r**l* to *ross-Sit* S*riptin*. T** p**k*** **ils to s*nitiz* `xlink:*r**` *ttri*ut*s, w*i** m*y *llow *tt**k*rs to *x**ut* *r*itr*ry J*v*S*ript in * vi*tim's *rows*r i* t** v*lu* is us*r-*ontroll**

Reasoning

T** vuln*r**ility st*mm** *rom *n*ul*rJS's $s*nitiz* s*rvi** usin* * *ustom r***x-**s** *TML p*rs*r t**t *oul*n't prop*rly **n*l* SV* xlink:*r** *ttri*ut*s. T** *ommit ******* r*pl**** t*is wit* * *OM-**s** p*rs*r, *xpli*itly ***r*ssin* n*m*sp***-*w*