CVE-2022-23647
Cross-Site Scripting (XSS) vulnerability in prismjs (npm)
What is CVE-2022-23647 About?
Prism's Command line plugin is vulnerable to Cross-Site Scripting (XSS) due to improper escaping of output. This allows attackers to inject malicious HTML code into the DOM, affecting client-side users. Exploitation is relatively straightforward if the plugin is used with untrusted input.
Affected Software
Technical Details
The Command line plugin for Prism contains an XSS vulnerability because it fails to properly escape its output. When the plugin processes input text, it directly inserts this text into the Document Object Model (DOM) as raw HTML code without sufficient sanitization. An attacker can craft input that includes malicious HTML tags (e.g., <script>alert('XSS')</script>). If a web application uses this plugin to display untrusted user-supplied content, the attacker's malicious script will be executed in the victim's browser when they view the page, leading to XSS.
What is the Impact of CVE-2022-23647?
Successful exploitation may allow attackers to inject arbitrary web scripts in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2022-23647?
Exploitation of this XSS vulnerability is of low complexity. The primary prerequisite is an application utilizing Prism's Command line plugin and displaying untrusted input through it. No authentication is strictly required if the input mechanism is open to unauthenticated users; otherwise, a user account might be needed to submit the malicious input. The attack is remote, requiring an attacker to inject specially crafted data that is subsequently displayed by the vulnerable plugin. The main risk factor is an application failing to sanitize code blocks processed by the Command line plugin before rendering them, especially if those blocks contain user-controlled content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23647?
About the Fix from Resolved Security
The patch fixes improper escaping of markup in output lines by applying Prism.util.encode to each output line before adding it to codeLines, preventing potential HTML or script injection attacks. This resolves CVE-2022-23647 by ensuring any untrusted content in outputLines is safely escaped and cannot execute unintended scripts when rendered.
Available Upgrade Options
- prismjs
- >1.14.0, <1.27.0 → Upgrade to 1.27.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c
- https://github.com/PrismJS/prism/pull/3341
- https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
- https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c
- https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
- https://nvd.nist.gov/vuln/detail/CVE-2022-23647
- https://github.com/PrismJS/prism/pull/3341
- https://osv.dev/vulnerability/GHSA-3949-f494-cm99
- https://github.com/PrismJS/prism
What are Similar Vulnerabilities to CVE-2022-23647?
Similar Vulnerabilities: CVE-2022-2218 , CVE-2022-24891 , CVE-2021-41183 , CVE-2021-41193 , CVE-2021-32640
