CVE-2020-7676: XSS
First published: Tue May 19 2020(Updated: )
A XSS flaw was found in nodejs-angular. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "\<option\>" elements in "\<select\>" ones changes parsing behavior, leading to possibly unsanitizing code.
Credit: report@snyk.io report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/angular | <1.8.0 | 1.8.0 |
| redhat/rh-sso7-keycloak | <0:9.0.12-1.redhat_00001.1.el6 | 0:9.0.12-1.redhat_00001.1.el6 |
| redhat/rh-sso7-keycloak | <0:9.0.12-1.redhat_00001.1.el7 | 0:9.0.12-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:9.0.12-1.redhat_00001.1.el8 | 0:9.0.12-1.redhat_00001.1.el8 |
| redhat/nodejs-angular | <1.8.0 | 1.8.0 |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF004 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF020 | |
| IBM Cloud Pak for Business Automation | <=V22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| Angularjs Angular.js | <1.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-7676
- https://github.com/angular/angular.js/pull/17028
- https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
- https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E
- https://github.com/angular/angular.js/commit/2df43c07779137d1bddf7f3b282a1287a8634acd
- https://github.com/advisories/GHSA-mhp6-pxh8-r675 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-7676 https://nvd.nist.gov/vuln/detail/CVE-2020-7676 https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
- https://bugzilla.redhat.com/show_bug.cgi?id=1849206
- https://access.redhat.com/errata/RHSA-2021:0417
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/errata/RHSA-2021:0974
- https://access.redhat.com/errata/RHSA-2021:0967
- https://access.redhat.com/errata/RHSA-2021:0968
- https://access.redhat.com/errata/RHSA-2021:0969
- https://access.redhat.com/security/cve/cve-2020-7676
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1928693
- https://exchange.xforce.ibmcloud.com/vulnerabilities/183379
- https://www.ibm.com/support/pages/node/6998727 (Advisory)
- https://github.com/angular/angular.js/pull/17028,
- https://github.com/angular/angular.js/pull/17028%2C
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1%40%3Cozone-commits.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1%40%3Cozone-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a%40%3Cozone-issues.hadoop.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-7676?
CVE-2020-7676 is a cross-site scripting vulnerability in nodejs-angular, which allows remote attackers to inject malicious script into a web page.
How does CVE-2020-7676 affect angular.js?
CVE-2020-7676 affects angular.js by allowing remote attackers to inject malicious script into a web page.
What is the severity of CVE-2020-7676?
The severity of CVE-2020-7676 is medium (5.4).
How can I fix CVE-2020-7676?
To fix CVE-2020-7676, update to the latest version of nodejs-angular.
Where can I find more information about CVE-2020-7676?
You can find more information about CVE-2020-7676 on the NIST National Vulnerability Database (NVD) website and the GitHub repository for angular.js.
- collector/github-advisory-latest
- alias/GHSA-mhp6-pxh8-r675
- alias/CVE-2020-7676
- collector/github-advisory
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/description
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/npm
- package-manager/redhat
- vendor/angularjs
- canonical/angularjs angular.js
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if004
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if020
- version/ibm cloud pak for business automation/v22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes