Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular Expressions. Two possible workarounds are available. One may either disable access to `__proto__` globally or make sure that one uses the function with just one argument.
History

Tue, 10 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Dec 2024 15:45:00 +0000

Type Values Removed Values Added
Description Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.4.3, an attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. The problem has been patched in version 1.4.3 of Angular Expressions. Two possible workarounds are available. One may either disable access to `__proto__` globally or make sure that one uses the function with just one argument.
Title Angular Expressions - Remote Code Execution when using locals
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-10T15:37:51.480Z

Updated: 2024-12-10T16:34:57.533Z

Reserved: 2024-11-29T18:02:16.756Z

Link: CVE-2024-54152

cve-icon Vulnrichment

Updated: 2024-12-10T16:34:52.690Z

cve-icon NVD

Status : Received

Published: 2024-12-10T16:15:23.947

Modified: 2024-12-10T16:15:23.947

Link: CVE-2024-54152

cve-icon Redhat

No data.