CVE-2022-23474

Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
References
Link Resource
https://github.com/codex-team/editor.js/pull/2100 Exploit Patch Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js/ Exploit Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:codex:editor.js:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2022-12-15 19:15

Updated : 2024-02-28 19:51


NVD link : CVE-2022-23474

Mitre link : CVE-2022-23474

CVE.ORG link : CVE-2022-23474


JSON object : View

Products Affected

codex

  • editor.js
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')