Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02bXZqLTI1NjktM21jbc4AA-Yi

Editor.js vulnerable to Code Injection

Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.

Permalink: https://github.com/advisories/GHSA-6mvj-2569-3mcm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02bXZqLTI1NjktM21jbc4AA-Yi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago

CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-6mvj-2569-3mcm, CVE-2022-23474
References:

Repository: https://github.com/codex-team/editor.js
Blast Radius: 18.9

Affected Packages

npm:@editorjs/editorjs

Dependent packages: 287
Dependent repositories: 1,270
Downloads: 429,946 last month
Affected Version Ranges: < 2.26.0
Fixed in: 2.26.0
All affected versions: 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.13.0, 2.14.0, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.17.0, 2.18.0, 2.19.0, 2.19.1, 2.19.2, 2.19.3, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.22.0, 2.22.1, 2.22.2, 2.22.3, 2.23.0, 2.23.1, 2.23.2, 2.24.0, 2.24.1, 2.24.2, 2.24.3, 2.25.0
All unaffected versions: 2.26.0, 2.26.1, 2.26.2, 2.26.3, 2.26.4, 2.26.5, 2.27.0, 2.27.1, 2.27.2, 2.28.0, 2.28.1, 2.28.2, 2.29.0, 2.29.1, 2.30.0, 2.30.1, 2.30.2, 2.30.3, 2.30.4, 2.30.5, 2.30.6, 2.30.7