UBUNTU-CVE-2022-23647

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2022-23647

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-23647.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2022-23647

Related

CVE-2022-23647

Published

2022-02-18T15:15:00Z

Modified

2024-10-15T14:09:47Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

References

Affected packages

Ubuntu:20.04:LTS / node-prismjs

Package

Name: node-prismjs
Purl: pkg:deb/ubuntu/node-prismjs?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11.0+dfsg-2

1.11.0+dfsg-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / node-prismjs

Package

Name: node-prismjs
Purl: pkg:deb/ubuntu/node-prismjs?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.23.0+dfsg-1

1.25.0+dfsg-1

1.27.0+dfsg+~1.26.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / node-prismjs

Package

Name: node-prismjs
Purl: pkg:deb/ubuntu/node-prismjs?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.29.0+dfsg+~1.26.0-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.29.0+dfsg+~1.26.0-1",
            "binary_name": "node-prismjs"
        }
    ]
}

Ubuntu:24.04:LTS / node-prismjs

Package

Name: node-prismjs
Purl: pkg:deb/ubuntu/node-prismjs?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.29.0+dfsg+~1.26.0-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.29.0+dfsg+~1.26.0-1",
            "binary_name": "node-prismjs"
        }
    ]
}