CVE-2022-23647

{"id": "CVE-2022-23647", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2022-02-18T15:15:07.740", "references": [{"url": "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/PrismJS/prism/pull/3341", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/PrismJS/prism/pull/3341", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin."}, {"lang": "es", "value": "Prism es una biblioteca de resaltado de sintaxis. A partir de la versi\u00f3n 1.14.0 y versiones anteriores a 1.27.0, el plugin de l\u00ednea de comandos de Prism puede ser usado por atacantes para lograr un ataque de tipo cross-site scripting. El plugin de l\u00ednea de comandos no escapaba apropiadamente su salida, conllevando a que el texto de entrada fuera insertado en el DOM como c\u00f3digo HTML. El uso del lado del servidor de Prism no est\u00e1 afectado. Los sitios web que no usan el plugin de l\u00ednea de comandos tampoco est\u00e1n afectados. Este error ha sido corregido en la versi\u00f3n 1.27.0. Como medida de mitigaci\u00f3n, no use el complemento de l\u00ednea de comandos en entradas no confiables, o sanee todos los bloques de c\u00f3digo (elimine todo el texto de c\u00f3digo HTML) de todos los bloques de c\u00f3digo que usen el complemento de l\u00ednea de comandos"}], "lastModified": "2024-11-21T06:49:00.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "74CAF516-7C50-41A2-9A78-B60CF495B4BE", "versionEndExcluding": "1.27.0", "versionStartIncluding": "1.14.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}