Description
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements.
Recommendation
Update the aurelia-framework package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.1
- Patched version(s): 1.4.1
References
- GHSA-m6j2-v3gq-45r5
- www.gosecure.net
- discourse.aurelia.io
- CVE-2019-10062
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Angular vulnerable to Cross-site Scripting - CVE-2020-7676
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- csvjson vulnerable to prototype injection - CVE-2025-57318
- Prebid.js NPM package briefly compromised - CVE-2025-59038
- Tags:
- npm
- aurelia-framework
Anything's wrong? Let us know Last updated on February 01, 2023