Affected versions of this package are vulnerable to Arbitrary Code Execution.
$parse allowed arbitrary code execution via Angular expressions under some very specific conditions. The only applications affected by these vulnerabilities are those that match all of the following conditions:
- Application mixes server-side and client-side templating
- The server-side templating contains XSS vulnerabilities
- The vulnerabilities in the server-side templating are being guarded by server-side XSS filters or on the client-side via CSP
- The server-side XSS vulnerabilities can be used to augment the client-side template processed by Angular
Applications not meeting all of the conditions are not vulnerable.
angular to version 1.3.0 or higher.
- Jann Horn
- Snyk ID
- 07 Jun, 2014
- 23 Jan, 2017