CVE-2020-26237 – Prototype Pollution in highlight.js

https://notcve.org/view.php?id=CVE-2020-26237

24 Nov 2020 — Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be har... • https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0 • CWE-20: Improper Input Validation CWE-471: Modification of Assumed-Immutable Data (MAID) •