PT-2022-16158 · Prism · Prism

At055612

Published

2022-02-18

Updated

2022-02-28

CVE-2022-23647

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions Prism versions 1.14.0 through 1.26.x

Description Prism is a syntax highlighting library. The command line plugin can be used by attackers to achieve a cross-site scripting attack due to improper output escaping, leading to input text being inserted into the DOM as HTML code. Server-side usage of Prism and websites not using the Command Line plugin are not impacted.

Recommendations For versions 1.14.0 through 1.26.x, as a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks by removing all HTML code text from code blocks that use the command line plugin. For all affected versions, update to version 1.27.0 to fix the issue.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-23647

GHSA-3949-F494-CM99

Affected Products

Prism

PT-2022-16158 · Prism · Prism

CVE-2022-23647

Weakness Enumeration

Related Identifiers

Affected Products

References · 15