CVE-2022-23474: Editor.js vulnerable to Code Injection
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.
References
- github.com/advisories/GHSA-6mvj-2569-3mcm
- github.com/codex-team/editor.js
- github.com/codex-team/editor.js/commit/f659015be6de8e6f0c322c5ff4d1a4532d2f29a2
- github.com/codex-team/editor.js/pull/2100
- nvd.nist.gov/vuln/detail/CVE-2022-23474
- securitylab.github.com/advisories
- securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js
Detect and mitigate CVE-2022-23474 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →