Angular - Vulnerable javascript library - CVE-2020-7676, CVE-2019-11358 and CVE-2020-11022

search cancel

Angular - Vulnerable javascript library - CVE-2020-7676, CVE-2019-11358 and CVE-2020-11022

book

Article ID: 246622

calendar_today

Updated On: 07-25-2022

Products

CA Identity Suite

Issue/Introduction

Is the Identity suite of software Vulnerable to CVE-2020-7676, CVE-2019-11358 and CVE-2020-11022

https://nvd.nist.gov/vuln/detail/CVE-2020-7676

https://nvd.nist.gov/vuln/detail/cve-2019-11358

https://nvd.nist.gov/vuln/detail/cve-2020-11022

Environment

Release : 14.4

Resolution

The Identity Suite was implemented with internal code validation and will only accept and execute code that has been validated to prevent just such Cross Site Scripting attacks as described in this Vulnerability.

Furthermore the software does not allow the actions required by these Vulnerabilites.

CVE-202-7676
In the Identity Suite, when an Ajax request is performed, our frontend API doesn't allow to extend the native Object. Prototype source object.

CVE-2019-11358 and CVE-2020-11022
In the Identity Suite, it is not possible to perform any cross-domain Ajax request without a dataType option to cause the execution of text/javascript responses, also it's not possible to inject an unsanitized source object with enumerable __proto__ property

The Identity Suite has been tested and verified to not be susceptible to the Vulnerabilities described in CVE-2020-7676, CVE-2019-11358 and CVE-2020-11022

Additional Information

Development is aware these libraries are out of date and will be working towards updating them in future releases.

Feedback

thumb_up Yes

thumb_down No