CVE-2024-53382

Published: Mar 3, 2025Modified: Jun 27, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Affected (1)

Products: Prismjs: Prism

Prismjs

1 product

Prism

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Prismjs Prism	Up to 1.29.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259

Source: cve@mitre.org

Product

https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitPatchThird Party Advisory

Timeline

No history available yet.