Description
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements.
Recommendation
Update the aurelia-framework package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.1
- Patched version(s): 1.4.1
References
- GHSA-m6j2-v3gq-45r5
- www.gosecure.net
- discourse.aurelia.io
- CVE-2019-10062
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Cross-Site Scripting in serialize-to-js - CVE-2019-16772
- SQL Injection and Cross-site Scripting in class-validator - CVE-2019-18413
- Cross-Site Scripting in min-http-server - CVE-2019-5457
- DOM-based cross-site scripting in Froala Editor - CVE-2019-19935
- Tags:
- npm
- aurelia-framework
Anything's wrong? Let us know Last updated on February 01, 2023