{"uuid": "b753c330-c74c-442c-9211-62a8961b6739", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-21277", "type": "seen", "source": "https://t.me/cibsecurity/22890", "content": "\u203c CVE-2021-21277 \u203c\n\nangular-expressions is \"angular's nicest part extracted as a standalone module for the browser and node\". In angular-expressions before version 1.1.2 there is a vulnerability which allows Remote Code Execution if you call \"expressions.compile(userControlledInput)\" where \"userControlledInput\" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a \".constructor.constructor\" technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the server, an attacker could run any Javascript expression, thus gaining Remote Code Execution. This is fixed in version 1.1.2 of angular-expressions A temporary workaround might be either to disable user-controlled input that will be fed into angular-expressions in your application or allow only following characters in the userControlledInput.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-01T19:25:04.000000Z"}