CVE-2019-14863

AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes

Description

Versions of angular prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize xlink:href attributes, which may allow attackers to execute arbitrary JavaScript in a victim's browser if the value is user-controlled.

Recommendation

Upgrade to version 1.5.0-beta.1 or later.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

6.1

Severity

Medium

Ecosystem

JavaScript

Publish Date

February 14, 2020

Modified Date

November 20, 2025

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Versions