CVE-2022-23474

Name of the Vulnerable Software and Affected Versions Editor.js versions prior to 2.26.0

Description The issue concerns a code injection vulnerability via pasted input in Editor.js, a block-style editor. The processHTML method is vulnerable as it passes pasted input into the wrapper's innerHTML. This allows for potential code injection attacks.

Recommendations For versions prior to 2.26.0, update to version 2.26.0 to resolve the issue. As a temporary workaround, consider disabling the processHTML method until the patch is applied. Restrict access to pasted input to minimize the risk of exploitation.