CVE-2020-26237

Prototype Pollution in highlight.js

Severity Score

8.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector. If your website or application does not render user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Highlight.js es un resaltador de sintaxis escrito en JavaScript. Highlight.js versiones anteriores a 9.18.2 y 10.1.2 son vulnerables a una Contaminación de Prototipo. Un bloque de código HTML malicioso puede ser diseñado lo que resultará en la contaminación del prototipo del prototipo del objeto base durante el resaltado. Si permite a usuarios insertar bloques de código HTML personalizados en su página y aplicación por medio del análisis de bloques de código Markdown (o similar) y no filtrar los nombres del idioma que el usuario puede proporcionar, puede ser vulnerable. La contaminación debería ser solo datos inofensivos, pero esto puede causar problemas para las aplicaciones que no esperan que se presenten estas propiedades y puede resultar en un comportamiento extraño o fallos de la aplicación, es decir, un vector de DOS potencial. Si su sitio web o aplicación no proporciona los datos proporcionados por el usuario, no debería estar afectado. Versiones 9.18.2 y 10.1. 2 y más recientes incluyen correcciones para esta vulnerabilidad. Si está usando la versión 7 o 8, le recomendamos que actualice a una versión más reciente

A flaw was found in nodejs-highlight-js. Highlight.js is vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-01 CVE Reserved
2020-11-24 CVE Published
2023-12-28 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-471: Modification of Assumed-Immutable Data (MAID)

CAPEC

References (8)

URL	Tag	Source
https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx	Mitigation
https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html	Mailing List
https://www.npmjs.com/package/highlight.js	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0	2022-10-19
https://github.com/highlightjs/highlight.js/pull/2636	2022-10-19

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2020-26237	2021-10-19
https://bugzilla.redhat.com/show_bug.cgi?id=1901662	2021-10-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Highlightjs Search vendor "Highlightjs"		Highlight.js Search vendor "Highlightjs" for product "Highlight.js"				< 9.18.2 Search vendor "Highlightjs" for product "Highlight.js" and version " < 9.18.2"		node.js		Affected
Highlightjs Search vendor "Highlightjs"		Highlight.js Search vendor "Highlightjs" for product "Highlight.js"				>= 10.1.0 < 10.1.2 Search vendor "Highlightjs" for product "Highlight.js" and version " >= 10.1.0 < 10.1.2"		node.js		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.30 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.30"		-		Affected