CVE-2022-23647

Vulnerable Component Details
Type Namespace Name Version Package URL
npm None prismjs 1.24.1 pkg:npm/prismjs@1.24.1
Vulnerability Details
ID CVE-2022-23647
Description Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Recommendation . || State: fixed | Fix Versions: 1.27.0. || Upgrade to version 1.27.0 or above.
Ratings
Severity Score Method Vector Source
4.3 CVSSv2 AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 CVSSv3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Related Vulnerabilities
Found By Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index
References / Advisories
Weakness Enumeration