CVE-2022-23474
editor.js contains Code Injection
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
Editor.js es un editor de estilo de bloque con salida JSON limpia. Las versiones anteriores a la 2.26.0 son vulnerables a la inyección de código mediante entradas pegadas. El método ProcessHTML pasa la entrada pegada al HTML interno del contenedor. Este problema se solucionó en la versión 2.26.0.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-19 CVE Reserved
- 2022-12-15 CVE Published
- 2024-07-07 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/codex-team/editor.js/pull/2100 | 2024-08-03 | |
| https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|