CVE-2019-10062: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

February 10, 2022

The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. An attacker might also exploit a bug in how the SCRIPT string is processed by splitting and nesting them for example.

References

aurelia.io/
github.com/advisories/GHSA-m6j2-v3gq-45r5
github.com/aurelia/templating-resources/blob/0cef07a8cac8e99146d8e1c4b734491bb3dc4724/src/html-sanitizer.js
nvd.nist.gov/vuln/detail/CVE-2019-10062
www.gosecure.net/blog/2021/05/12/aurelia-framework-insecure-default-allows-xss/

Code Behaviors & Features

Detect and mitigate CVE-2019-10062 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →