Опубликовано: 05 авг. 2024
Источник: github
Github: Прошло ревью
CVSS4: 5.3
CVSS3: 6.1
Описание
Editor.js vulnerable to Code Injection
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-23474
- https://github.com/codex-team/editor.js/pull/2100
- https://github.com/codex-team/editor.js/commit/f659015be6de8e6f0c322c5ff4d1a4532d2f29a2
- https://securitylab.github.com/advisories
- https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js
Пакеты
Наименование
@editorjs/editorjs
npm
Затронутые версииВерсия исправления
< 2.26.0
2.26.0
EPSS
Процентиль: 58%
0.00364
Низкий
5.3 Medium
CVSS4
6.1 Medium
CVSS3
CVE ID
Дефекты
CWE-79
CWE-94
Связанные уязвимости
CVSS3: 6.1
nvd
около 3 лет назад
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
EPSS
Процентиль: 58%
0.00364
Низкий
5.3 Medium
CVSS4
6.1 Medium
CVSS3
CVE ID
Дефекты
CWE-79
CWE-94