PT-2021-8863 · Aurelia · Aurelia

Published

2021-05-13

Updated

2022-02-10

CVE-2019-10062

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Aurelia framework versions 1.x

Description The issue concerns the HTMLSanitizer class in the Aurelia framework, which is susceptible to XSS attacks. This is because the sanitizer only attempts to filter SCRIPT elements, allowing remote attackers to conduct XSS attacks via JavaScript code in attributes of other elements. Attackers can also exploit a bug in how the SCRIPT string is processed by splitting and nesting them.

Recommendations For Aurelia framework version 1.x, consider disabling the HTMLSanitizer class until a patch is available, and restrict the use of JavaScript code in attributes of various elements to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-10062

GHSA-M6J2-V3GQ-45R5

Affected Products

Aurelia

PT-2021-8863 · Aurelia · Aurelia

CVE-2019-10062

Weakness Enumeration

Related Identifiers

Affected Products

References · 9