Description
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attribute of various other elements. An attacker might also exploit a bug in how the SCRIPT string is processed by splitting and nesting them for example.
Remediation
References
https://aurelia.io
https://github.com/aurelia/templating-resources/blob/0cef07a8cac8e99146d8e1c4b734491bb3dc4724/src/html-sanitizer.js
https://www.gosecure.net/blog/2021/05/12/aurelia-framework-insecure-default-allows-xss/
Related Vulnerabilities
CVE-2021-25949 Vulnerability in npm package set-getter
CVE-2022-0654 Vulnerability in npm package requestretry
CVE-2023-29519 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui
CVE-2022-39353 Vulnerability in maven package org.webjars.npm:xmldom__xmldom
CVE-2022-22984 Vulnerability in npm package snyk-gradle-plugin