CVE-2022-23647

Cross-site Scripting in Prism

Description

Impact

Prism's Command line plugin can be used by attackers to achieve an XSS attack. The Command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code.

Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted.

Patches

This bug has been fixed in v1.27.0.

Workarounds

Do not use the Command line plugin on untrusted inputs, or sanitized all code blocks (remove all HTML code text) from all code blocks that use the Command line plugin.

References

https://github.com/PrismJS/prism/pull/3341

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

Severity

Ecosystem

JavaScript

Publish Date

February 22, 2022

Modified Date

November 7, 2023

Score Vector

Affected Versions