CVE-2022-23647 — Cross-site Scripting in Prism

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

6.1MEDIUMNVD

CNA7.5

EPSS

0.4%

top 42.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prismjs Prism

Timeline

PublishedFeb 18

Latest updateFeb 22

Description

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDprismjs/prism1.14.0 — 1.27.0

▶CVEListV5prismjs/prism>= 1.14.0, < 1.27.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in Prism↗2022-02-22

▶

GHSA

Cross-site Scripting in Prism↗2022-02-22

▶

OSV

CVE-2022-23647: Prism is a syntax highlighting library↗2022-02-18

▶

CVEList

Cross-site Scripting in Prism↗2022-02-18

▶

📋Vendor Advisories

Red Hat

prismjs: improperly escaped output allows a XSS↗2022-02-18

▶

Debian

CVE-2022-23647: node-prismjs - Prism is a syntax highlighting library. Starting with version 1.14.0 and prior t...↗2022

▶