GHSA-6mvj-2569-3mcm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6mvj-2569-3mcm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-6mvj-2569-3mcm/GHSA-6mvj-2569-3mcm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6mvj-2569-3mcm
- Aliases
- Published
- 2024-08-05T21:18:57Z
- Modified
- 2024-08-05T21:41:56.361300Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Editor.js vulnerable to Code Injection
- Details
-
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
- Database specific
{ "nvd_published_at": "2022-12-15T19:15:00Z", "cwe_ids": [ "CWE-79", "CWE-94" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-08-05T21:18:57Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-23474
- https://github.com/codex-team/editor.js/pull/2100
- https://github.com/codex-team/editor.js/commit/f659015be6de8e6f0c322c5ff4d1a4532d2f29a2
- https://github.com/codex-team/editor.js
- https://securitylab.github.com/advisories
- https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js
Affected packages
npm / @editorjs/editorjs
Package
- Name
- @editorjs/editorjs
- View open source insights on deps.dev
- Purl
- pkg:npm/%40editorjs/editorjs