npm package
prismjs
pkg:npm/prismjs
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-53382 | — | < 1.30.0 | 1.30.0 | Mar 3, 2025 | Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements. | ||
| CVE-2022-23647 | — | >= 1.14.0, < 1.27.0 | 1.27.0 | Feb 18, 2022 | Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text b | ||
| CVE-2021-3801 | — | < 1.25.0 | 1.25.0 | Sep 15, 2021 | prism is vulnerable to Inefficient Regular Expression Complexity | ||
| CVE-2021-32723 | — | < 1.24.0 | 1.24.0 | Jun 28, 2021 | Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This | ||
| CVE-2021-23341 | — | < 1.23.0 | 1.23.0 | Feb 18, 2021 | The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. | ||
| CVE-2020-15138 | — | >= 1.1.0, < 1.21.0 | 1.21.0 | Aug 7, 2020 | Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _P |
- CVE-2024-53382Mar 3, 2025affected < 1.30.0fixed 1.30.0
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
- CVE-2022-23647Feb 18, 2022affected >= 1.14.0, < 1.27.0fixed 1.27.0
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text b
- CVE-2021-3801Sep 15, 2021affected < 1.25.0fixed 1.25.0
prism is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-32723Jun 28, 2021affected < 1.24.0fixed 1.24.0
Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This
- CVE-2021-23341Feb 18, 2021affected < 1.23.0fixed 1.23.0
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
- CVE-2020-15138Aug 7, 2020affected >= 1.1.0, < 1.21.0fixed 1.21.0
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _P