Описание
PrismJS DOM Clobbering vulnerability
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-53382
- https://github.com/PrismJS/prism/pull/3863
- https://github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d
- https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
- https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259
Пакеты
prismjs
< 1.30.0
1.30.0
Связанные уязвимости
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resulta ...