CVE-2024-53382 — Code Injection in Prism

CWE-94 — Code Injection CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.4MEDIUMNVD

CNA4.9

EPSS

0.2%

top 63.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prismjs Prism

Timeline

PublishedMar 3

Description

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5prismjs/prism1.29.0

▶NVDprismjs/prism1.29.0

Patches

Patch: gist.github.com ↗Patch: gist.github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-53382: Prism (aka PrismJS) through 1↗2025-03-03

▶

GHSA

PrismJS DOM Clobbering vulnerability↗2025-03-03

▶

OSV

PrismJS DOM Clobbering vulnerability↗2025-03-03

▶

CVEList

CVE-2024-53382: Prism (aka PrismJS) through 1↗2025-03-03

▶

📋Vendor Advisories

Red Hat

prismjs: DOM Clobbering vulnerability within the Prism library's prism-autoloader plugin↗2025-03-03

▶

Debian

CVE-2024-53382: node-prismjs - Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for...↗2024

▶