Lucene search

[email protected]CVE-2022-23647

HistoryFeb 18, 2022 - 3:15 p.m.

CVE-2022-23647

2022-02-1815:15:07

CWE-79

[email protected]

web.nvd.nist.gov

194

prism

syntax highlighting

library

cve-2022-23647

xss

command line plugin

security vulnerability

dom

html code

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.0%

JSON

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism’s command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Affected configurations

Vulners

NVD

Node

prismjsprismRange1.14.0–1.27.0

VendorProductVersionCPE
prismjsprism*cpe:2.3:a:prismjs:prism:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
prismjs	prism	*	cpe:2.3:a:prismjs:prism::::::::

CNA Affected

[
  {
    "product": "prism",
    "vendor": "PrismJS",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.14.0, < 1.27.0"
      }
    ]
  }
]