Vulnerabilites related to PrismJS - prism
cve-2022-23647
Vulnerability from cvelistv5
Published
2022-02-18 14:50
Modified
2024-08-03 03:51
Severity ?
EPSS score ?
Summary
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99 | x_refsource_CONFIRM | |
| https://github.com/PrismJS/prism/pull/3341 | x_refsource_MISC | |
| https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T03:51:44.204Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/pull/3341", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "prism", vendor: "PrismJS", versions: [ { status: "affected", version: ">= 1.14.0, < 1.27.0", }, ], }, ], descriptions: [ { lang: "en", value: "Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-18T14:50:10", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/pull/3341", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", }, ], source: { advisory: "GHSA-3949-f494-cm99", discovery: "UNKNOWN", }, title: "Cross-site Scripting in Prism", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2022-23647", STATE: "PUBLIC", TITLE: "Cross-site Scripting in Prism", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "prism", version: { version_data: [ { version_value: ">= 1.14.0, < 1.27.0", }, ], }, }, ], }, vendor_name: "PrismJS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", refsource: "CONFIRM", url: "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", }, { name: "https://github.com/PrismJS/prism/pull/3341", refsource: "MISC", url: "https://github.com/PrismJS/prism/pull/3341", }, { name: "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", refsource: "MISC", url: "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", }, ], }, source: { advisory: "GHSA-3949-f494-cm99", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-23647", datePublished: "2022-02-18T14:50:10", dateReserved: "2022-01-19T00:00:00", dateUpdated: "2024-08-03T03:51:44.204Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-53382
Vulnerability from cvelistv5
Published
2025-03-03 00:00
Modified
2025-03-03 21:53
Severity ?
EPSS score ?
Summary
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
References
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-53382", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-03T21:52:57.337439Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-03T21:53:33.210Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, references: [ { tags: [ "exploit", ], url: "https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660", }, ], title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unknown", product: "Prism", vendor: "PrismJS", versions: [ { lessThanOrEqual: "1.29.0", status: "affected", version: "0", versionType: "semver", }, ], }, ], cpeApplicability: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:prismjs:prism:*:*:*:*:*:*:*:*", versionEndIncluding: "1.29.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.", }, ], metrics: [ { cvssV3_1: { baseScore: 4.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94 Improper Control of Generation of Code ('Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-03T06:36:55.825Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660", }, { url: "https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259", }, ], x_generator: { engine: "enrichogram 0.0.1", }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2024-53382", datePublished: "2025-03-03T00:00:00.000Z", dateReserved: "2024-11-20T00:00:00.000Z", dateUpdated: "2025-03-03T21:53:33.210Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-32723
Vulnerability from cvelistv5
Published
2021-06-28 19:15
Modified
2024-08-03 23:33
Severity ?
EPSS score ?
Summary
Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg | x_refsource_CONFIRM | |
| https://github.com/PrismJS/prism/pull/2688 | x_refsource_MISC | |
| https://github.com/PrismJS/prism/pull/2774 | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:33:54.878Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/pull/2688", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/pull/2774", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "prism", vendor: "PrismJS", versions: [ { status: "affected", version: "< 1.24", }, ], }, ], descriptions: [ { lang: "en", value: "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:42:13", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/pull/2688", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/pull/2774", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], source: { advisory: "GHSA-gj77-59wh-66hg", discovery: "UNKNOWN", }, title: "Regular Expression Denial of Service (ReDoS) in Prism", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-32723", STATE: "PUBLIC", TITLE: "Regular Expression Denial of Service (ReDoS) in Prism", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "prism", version: { version_data: [ { version_value: "< 1.24", }, ], }, }, ], }, vendor_name: "PrismJS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-400: Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg", refsource: "CONFIRM", url: "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg", }, { name: "https://github.com/PrismJS/prism/pull/2688", refsource: "MISC", url: "https://github.com/PrismJS/prism/pull/2688", }, { name: "https://github.com/PrismJS/prism/pull/2774", refsource: "MISC", url: "https://github.com/PrismJS/prism/pull/2774", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, source: { advisory: "GHSA-gj77-59wh-66hg", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-32723", datePublished: "2021-06-28T19:15:15", dateReserved: "2021-05-12T00:00:00", dateUpdated: "2024-08-03T23:33:54.878Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3801
Vulnerability from cvelistv5
Published
2021-09-15 12:40
Modified
2024-08-03 17:09
Severity ?
EPSS score ?
Summary
prism is vulnerable to Inefficient Regular Expression Complexity
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a | x_refsource_CONFIRM | |
| https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prismjs | prismjs/prism |
Version: unspecified < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:09:09.479Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "prismjs/prism", vendor: "prismjs", versions: [ { lessThanOrEqual: "1.24.1", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "prism is vulnerable to Inefficient Regular Expression Complexity", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1333", description: "CWE-1333 Inefficient Regular Expression Complexity", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-15T12:40:11", orgId: "c09c270a-b464-47c1-9133-acb35b22c19a", shortName: "@huntrdev", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9", }, ], source: { advisory: "8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", discovery: "EXTERNAL", }, title: "Inefficient Regular Expression Complexity in prismjs/prism", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@huntr.dev", ID: "CVE-2021-3801", STATE: "PUBLIC", TITLE: "Inefficient Regular Expression Complexity in prismjs/prism", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "prismjs/prism", version: { version_data: [ { version_affected: "<=", version_value: "1.24.1", }, ], }, }, ], }, vendor_name: "prismjs", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "prism is vulnerable to Inefficient Regular Expression Complexity", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-1333 Inefficient Regular Expression Complexity", }, ], }, ], }, references: { reference_data: [ { name: "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", refsource: "CONFIRM", url: "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", }, { name: "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9", refsource: "MISC", url: "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9", }, ], }, source: { advisory: "8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "c09c270a-b464-47c1-9133-acb35b22c19a", assignerShortName: "@huntrdev", cveId: "CVE-2021-3801", datePublished: "2021-09-15T12:40:11", dateReserved: "2021-09-14T00:00:00", dateUpdated: "2024-08-03T17:09:09.479Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-23341
Vulnerability from cvelistv5
Published
2021-02-18 16:00
Modified
2024-09-16 19:56
Severity ?
EPSS score ?
Summary
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
References
| ▼ | URL | Tags |
|---|---|---|
| https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581 | x_refsource_MISC | |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582 | x_refsource_MISC | |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583 | x_refsource_MISC | |
| https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609 | x_refsource_MISC | |
| https://github.com/PrismJS/prism/issues/2583 | x_refsource_MISC | |
| https://github.com/PrismJS/prism/pull/2584 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T19:05:55.755Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/issues/2583", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/pull/2584", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "prismjs", vendor: "n/a", versions: [ { lessThan: "1.23.0", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Yeting Li", }, ], datePublic: "2021-02-18T00:00:00", descriptions: [ { lang: "en", value: "The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Regular Expression Denial of Service (ReDoS)", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-02-18T16:00:29", orgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", shortName: "snyk", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581", }, { tags: [ "x_refsource_MISC", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582", }, { tags: [ "x_refsource_MISC", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/issues/2583", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/pull/2584", }, ], title: "Regular Expression Denial of Service (ReDoS)", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "report@snyk.io", DATE_PUBLIC: "2021-02-18T15:56:55.174119Z", ID: "CVE-2021-23341", STATE: "PUBLIC", TITLE: "Regular Expression Denial of Service (ReDoS)", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "prismjs", version: { version_data: [ { version_affected: "<", version_value: "1.23.0", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, credit: [ { lang: "eng", value: "Yeting Li", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Regular Expression Denial of Service (ReDoS)", }, ], }, ], }, references: { reference_data: [ { name: "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581", }, { name: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582", }, { name: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583", }, { name: "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609", refsource: "MISC", url: "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609", }, { name: "https://github.com/PrismJS/prism/issues/2583", refsource: "MISC", url: "https://github.com/PrismJS/prism/issues/2583", }, { name: "https://github.com/PrismJS/prism/pull/2584", refsource: "MISC", url: "https://github.com/PrismJS/prism/pull/2584", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", assignerShortName: "snyk", cveId: "CVE-2021-23341", datePublished: "2021-02-18T16:00:29.799313Z", dateReserved: "2021-01-08T00:00:00", dateUpdated: "2024-09-16T19:56:25.729Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-15138
Vulnerability from cvelistv5
Published
2020-08-07 16:30
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9 | x_refsource_CONFIRM | |
| https://prismjs.com/plugins/previewers/#disabling-a-previewer | x_refsource_MISC | |
| https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T13:08:21.948Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "prism", vendor: "PrismJS", versions: [ { status: "affected", version: ">= 1.1.0, < 1.21.0", }, ], }, ], descriptions: [ { lang: "en", value: "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-07T16:30:14", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { tags: [ "x_refsource_MISC", ], url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, ], source: { advisory: "GHSA-wvhm-4hhf-97x9", discovery: "UNKNOWN", }, title: "Cross-Site Scripting in Prism", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2020-15138", STATE: "PUBLIC", TITLE: "Cross-Site Scripting in Prism", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "prism", version: { version_data: [ { version_value: ">= 1.1.0, < 1.21.0", }, ], }, }, ], }, vendor_name: "PrismJS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", refsource: "CONFIRM", url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { name: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", refsource: "MISC", url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, { name: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", refsource: "MISC", url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, ], }, source: { advisory: "GHSA-wvhm-4hhf-97x9", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2020-15138", datePublished: "2020-08-07T16:30:14", dateReserved: "2020-06-25T00:00:00", dateUpdated: "2024-08-04T13:08:21.948Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2021-09-15 13:15
Modified
2024-11-21 06:22
Severity ?
Summary
prism is vulnerable to Inefficient Regular Expression Complexity
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a | Exploit, Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*", matchCriteriaId: "266D072D-BFAD-4ACC-9ADA-91B03CA5EDA8", versionEndExcluding: "1.25.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "prism is vulnerable to Inefficient Regular Expression Complexity", }, { lang: "es", value: "prism es vulnerable a una Complejidad de Expresión Regular Ineficiente", }, ], id: "CVE-2021-3801", lastModified: "2024-11-21T06:22:28.573", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security@huntr.dev", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-15T13:15:08.360", references: [ { source: "security@huntr.dev", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9", }, { source: "security@huntr.dev", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://huntr.dev/bounties/8c16ab31-6eb6-46d1-b9a4-387222fe1b8a", }, ], sourceIdentifier: "security@huntr.dev", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1333", }, ], source: "security@huntr.dev", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-06-28 20:15
Modified
2024-11-21 06:07
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/PrismJS/prism/pull/2688 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/PrismJS/prism/pull/2774 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg | Third Party Advisory | |
| security-advisories@github.com | https://www.oracle.com/security-alerts/cpujan2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PrismJS/prism/pull/2688 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PrismJS/prism/pull/2774 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujan2022.html | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prismjs | prism | * | |
| oracle | application_express | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*", matchCriteriaId: "7E2F5A9C-1C99-4F59-9A07-2342B171C39C", versionEndExcluding: "1.24.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", matchCriteriaId: "485DEB26-3C1D-4FEC-A9C1-D95BFE3B967E", versionEndExcluding: "21.1.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB to highlight untrusted text. Other languages are not affected and can be used to highlight untrusted text.", }, { lang: "es", value: "Prism es una biblioteca de resaltado de sintaxis. Algunos lenguajes anteriores a la versión 1.24.0, son vulnerables a una Denegación de Servicio por Expresiones Regulares (ReDoS). Cuando Prism es usado para resaltar texto no confiable (dado por el usuario), un atacante puede diseñar una cadena que tardará mucho tiempo en ser resaltada. Este problema ha sido corregido en Prism versión v1.24. Como solución alternativa , no utilice ASCIIDoc o ERB para resaltar texto no confiable. Otros lenguajes no están afectados y pueden ser usados para resaltar texto no confiable", }, ], id: "CVE-2021-32723", lastModified: "2024-11-21T06:07:36.180", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-06-28T20:15:07.857", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2688", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2774", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2688", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2774", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-gj77-59wh-66hg", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-02-18 16:15
Modified
2024-11-21 05:51
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*", matchCriteriaId: "E1E5D8C6-2FCA-4B91-84FD-411C24D93902", versionEndExcluding: "1.23.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.", }, { lang: "es", value: "El paquete prismjs versiones anteriores a 1.23.0, es vulnerable a la Denegación de Servicio de Expresión Regular (ReDoS) por medio de los componentes prism-asciidoc, prism-rest, prism-tap y prism-eiffel", }, ], id: "CVE-2021-23341", lastModified: "2024-11-21T05:51:32.237", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "report@snyk.io", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-02-18T16:15:14.143", references: [ { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609", }, { source: "report@snyk.io", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/issues/2583", }, { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2584", }, { source: "report@snyk.io", tags: [ "Exploit", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583", }, { source: "report@snyk.io", tags: [ "Exploit", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582", }, { source: "report@snyk.io", tags: [ "Exploit", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/issues/2583", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2584", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581", }, ], sourceIdentifier: "report@snyk.io", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-18 15:15
Modified
2024-11-21 06:49
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/PrismJS/prism/pull/3341 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PrismJS/prism/pull/3341 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99 | Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:prismjs:prism:*:*:*:*:*:node.js:*:*", matchCriteriaId: "74CAF516-7C50-41A2-9A78-B60CF495B4BE", versionEndExcluding: "1.27.0", versionStartIncluding: "1.14.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.", }, { lang: "es", value: "Prism es una biblioteca de resaltado de sintaxis. A partir de la versión 1.14.0 y versiones anteriores a 1.27.0, el plugin de línea de comandos de Prism puede ser usado por atacantes para lograr un ataque de tipo cross-site scripting. El plugin de línea de comandos no escapaba apropiadamente su salida, conllevando a que el texto de entrada fuera insertado en el DOM como código HTML. El uso del lado del servidor de Prism no está afectado. Los sitios web que no usan el plugin de línea de comandos tampoco están afectados. Este error ha sido corregido en la versión 1.27.0. Como medida de mitigación, no use el complemento de línea de comandos en entradas no confiables, o sanee todos los bloques de código (elimine todo el texto de código HTML) de todos los bloques de código que usen el complemento de línea de comandos", }, ], id: "CVE-2022-23647", lastModified: "2024-11-21T06:49:00.820", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.3, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-02-18T15:15:07.740", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/3341", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/3341", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }