CVE-2022-23474 – @editorjs/editorjs

Package

Manager: npm
Name: @editorjs/editorjs
Vulnerable Version: >=0 <2.26.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00359 pctl0.57312

Details

Editor.js vulnerable to Code Injection Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.

Metadata

Created: 2024-08-05T21:18:57Z
Modified: 2024-08-05T21:18:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-6mvj-2569-3mcm/GHSA-6mvj-2569-3mcm.json
CWE IDs: ["CWE-79", "CWE-94"]
Alternative ID: GHSA-6mvj-2569-3mcm
Finding: F188
Auto approve: 1