CVE-2022-23474: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

December 15, 2022 (updated December 20, 2022)

Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 is vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.

References

github.com/codex-team/editor.js/pull/2100
nvd.nist.gov/vuln/detail/CVE-2022-23474
securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js/

Detect and mitigate CVE-2022-23474 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →