CVE-2019-10062

Name: CVE-2019-10062
Creator: NVD / NIST
Published: 2021-05-13T21:15:07.28+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 1.42%

Last modified Jun 17, 2026

CVE-2019-10062 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. EPSS estimates a 1.42% chance of exploitation in the next 30 days.

Description

The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. An attacker might also exploit a bug in how the SCRIPT string is processed by splitting and nesting them for example.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

1.42%

69.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Bluespire	Aurelia Framework	>= 1.0.0, <= 1.3.1

References

https://aurelia.ioVendor Advisory
https://github.com/aurelia/templating-resources/blob/0cef07a8cac8e99146d8e1c4b734491bb3dc4724/src/html-sanitizer.jsThird Party Advisory
https://www.gosecure.net/blog/2021/05/12/aurelia-framework-insecure-default-allows-xss/Exploit, Mitigation, Third Party Advisory
https://aurelia.ioVendor Advisory
https://github.com/aurelia/templating-resources/blob/0cef07a8cac8e99146d8e1c4b734491bb3dc4724/src/html-sanitizer.jsThird Party Advisory
https://www.gosecure.net/blog/2021/05/12/aurelia-framework-insecure-default-allows-xss/Exploit, Mitigation, Third Party Advisory

Timeline

Published: May 13, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-10062?

How severe is CVE-2019-10062?

CVE-2019-10062 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 1.42% probability of exploitation in the next 30 days.

How do I fix CVE-2019-10062?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-10062?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST