CVE-2020-26237 — Modification of Assumed-Immutable Data in Highlight.js

CWE-471 — Modification of Assumed-Immutable Data CWE-20 — Improper Input Validation8 documents7 sources

Severity

8.7HIGHNVD

CNA5.8

EPSS

0.6%

top 30.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Highlightjs Highlight.js Oracle Mysql Enterprise Monitor Debian Linux

Timeline

PublishedNov 24

Latest updateJul 15

Description

Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:HExploitability: 2.3 | Impact: 5.8

Affected Packages3 packages

▶CVEListV5highlightjs/highlight.js< 9.18.2+1

▶NVDhighlightjs/highlight.js10.1.0 — 10.1.2+1

▶NVDoracle/mysql_enterprise_monitor8.0.30

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Prototype Pollution in highlight.js↗2020-11-24

▶

OSV

CVE-2020-26237: Highlight↗2020-11-24

▶

GHSA

Prototype Pollution in highlight.js↗2020-11-24

▶

OSV

Prototype Pollution in highlight.js↗2020-11-24

▶

📋Vendor Advisories

Oracle

Oracle Oracle MySQL Risk Matrix: Monitoring: General (highlight.js) — CVE-2020-26237↗2022-07-15

▶

Red Hat

nodejs-highlight-js: prototype pollution via a crafted HTML code block↗2020-11-23

▶

Debian

CVE-2020-26237: highlight.js - Highlight.js is a syntax highlighter written in JavaScript. Highlight.js version...↗2020

▶