CVE-2022-23647

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
GitHub_MCNA
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
VendorProductVersion
prismjsprism
1.14.0 ≤
𝑥
< 1.27.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-prismjs
bullseye
1.23.0+dfsg-1+deb11u2
fixed
sid
1.29.0+dfsg+~1.26.0-1
fixed
trixie
1.29.0+dfsg+~1.26.0-1
fixed
bookworm
1.29.0+dfsg+~1.26.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-prismjs
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c
https://github.com/PrismJS/prism/pull/3341
https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c
https://github.com/PrismJS/prism/pull/3341
https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99