CVE-2024-53382 security issue

[Rai-Rai]

Information:

• Prism version: 1.29

Description
CVE-2024-53382

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

[markvantilburg]

#3863

[zhu-xiaowei]

We have also encountered this issue and are looking forward to seeing it fixed.

[mohlsen]

in https://github.com/PrismJS/prism/security#reporting-a-vulnerability it says not to create issues for Vulnerabilities. Was this reported to the maintainers as indicated in the Security Policy?

[markvantilburg]

I don't know about that but this report is 5 months ago: https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660

[gileswells]

While I am not the original reporter nor the author of PR #3863 that resolves this, I've sent the maintainers a brief email on the off chance that they haven't yet seen this thread or the open PR. I'll try to respond back here if they don't respond back publicly.

[theanlay]

• prismjs:1.29.0

Description
CVE-2024-53382 - Severity: Medium

Summary
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Can you help resolve this Vulnerability ?

[markvantilburg]

@DmitrySharabin can you escalate this?

[jake-slashid]

My teams compliance deadline for this is 2 months from today, we'll need to stop using prism then and would really rather not!

[markvantilburg]

My teams compliance deadline for this is 2 months from today, we'll need to stop using prism then and would really rather not!

The fix is merged and a new release is out

[chadlwilson]

Yeah, this can be closed now.