CVE-2019-10062

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-10062

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10062.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-10062

Aliases

GHSA-m6j2-v3gq-45r5

Published

2021-05-13T21:15:07.280Z

Modified

2026-03-15T22:28:58.727557Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. An attacker might also exploit a bug in how the SCRIPT string is processed by splitting and nesting them for example.

References

Affected packages

Git / github.com/aurelia/framework

Affected ranges

Type

GIT

Repo

https://github.com/aurelia/framework

Events

Introduced

ac3e71d33571bcc6b369c5befe831143cb5263a6

Last affected

cd14822bb1085d471b83203abc7590ef9b7f45bc

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "last_affected": "1.3.1"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2.0

1.3.0

1.3.0-rc.1

1.3.0-rc.2

1.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10062.json"