Code Injection in Prism
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Code Injection
EUVDB-ID: #VU107489
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-53382
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.. A remote user can send a specially crafted request and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsprism: 1.0.0 - 1.29.0
CPE2.3- cpe:2.3:a:PrismJS:prism:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:PrismJS:prism:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:PrismJS:prism:1.1.0:*:*:*:*:*:*:*
https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
