CVE-2022-23647

Cross-site Scripting in Prism

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

Prism es una biblioteca de resaltado de sintaxis. A partir de la versión 1.14.0 y versiones anteriores a 1.27.0, el plugin de línea de comandos de Prism puede ser usado por atacantes para lograr un ataque de tipo cross-site scripting. El plugin de línea de comandos no escapaba apropiadamente su salida, conllevando a que el texto de entrada fuera insertado en el DOM como código HTML. El uso del lado del servidor de Prism no está afectado. Los sitios web que no usan el plugin de línea de comandos tampoco están afectados. Este error ha sido corregido en la versión 1.27.0. Como medida de mitigación, no use el complemento de línea de comandos en entradas no confiables, o sanee todos los bloques de código (elimine todo el texto de código HTML) de todos los bloques de código que usen el complemento de línea de comandos

A Cross-site scripting attack was found in Prism. The command-line plugin did not properly escape its output. This issue leads to the input text being inserted into the Document Object Model (DOM) as HTML code, which can be exploited by an attacker.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-19 CVE Reserved
2022-02-18 CVE Published
2024-08-03 CVE Updated
2024-08-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (5)

URL	Tag	Source
https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c	2022-02-28
https://github.com/PrismJS/prism/pull/3341	2022-02-28

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-23647	2022-11-17
https://bugzilla.redhat.com/show_bug.cgi?id=2056643	2022-11-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Prismjs Search vendor "Prismjs"		Prism Search vendor "Prismjs" for product "Prism"				>= 1.14.0 < 1.27.0 Search vendor "Prismjs" for product "Prism" and version " >= 1.14.0 < 1.27.0"		node.js		Affected