Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Docxtemplater vulnerability with angular parser - Remote Code Execution #488
A few minutes ago, CVE-2020-5219 got released which impacts users of the "angular-expressions" module. The issue was in the "angular-expressions" code and allows Remote Code Execution.
Here is some docxtemplater specific information about the vulnerability :
The vulnerability allows Remote Code Execution.
You are impacted if you have the angular parser enabled AND the docx templates are written by untrusted people.
To check if you use the angular-parser, look whether you are calling
The vulnerability was reported by GoSecure, Inc.
The vulnerability comes from "angular-expressions" and has been patched in version 1.0.1.
To apply the patch, do :
It is possible to fix the issue without upgrading by either :
For more information
If you have any questions or comments about this advisory:
The vulnerability was found and reported by Maxime Nadeau from GoSecure, Inc.