CVE-2022-23647 is a cross-site scripting (XSS) vulnerability identified in the PrismJS syntax highlighting library, specifically affecting the command line plugin versions from 1.14.0 up to but not including 1.27.0. PrismJS is widely used for client-side syntax highlighting in web applications and documentation sites. The vulnerability arises because the command line plugin fails to properly escape or sanitize user input before inserting it into the DOM as HTML code. This improper neutralization of input (CWE-79) allows an attacker to inject malicious scripts into web pages that use the vulnerable plugin with untrusted inputs. Notably, server-side usage of PrismJS is not affected, and websites that do not utilize the command line plugin are also not vulnerable. The issue was addressed and fixed in version 1.27.0 of PrismJS. Until upgrading, mitigations include avoiding the use of the command line plugin on untrusted inputs or sanitizing all code blocks to remove any embedded HTML code before rendering. There are no known exploits in the wild reported to date. The vulnerability primarily impacts client-side web applications that incorporate the vulnerable PrismJS plugin and process untrusted input for syntax highlighting, potentially enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session.

For European organizations, this vulnerability poses a moderate risk primarily to web applications that embed PrismJS with the vulnerable command line plugin and accept untrusted user input for syntax highlighting. Successful exploitation could lead to the execution of arbitrary scripts in users' browsers, resulting in session hijacking, credential theft, defacement, or redirection to malicious sites. This could undermine user trust, lead to data breaches, or facilitate further attacks such as phishing or malware distribution. Organizations in sectors with high web presence—such as e-commerce, media, education, and government—may be particularly impacted if they use the vulnerable plugin without proper input sanitization. However, the scope is limited to client-side usage of the command line plugin, and server-side PrismJS implementations are unaffected. The lack of known active exploitation reduces immediate risk but does not eliminate the potential for targeted attacks. The impact on confidentiality and integrity is moderate, while availability impact is minimal unless combined with other attack vectors.

European organizations should take the following specific steps to mitigate this vulnerability: 1) Identify all web applications and services using PrismJS, particularly versions between 1.14.0 and 1.27.0, and verify if the command line plugin is in use. 2) Upgrade PrismJS to version 1.27.0 or later, which contains the fix for this vulnerability. 3) If immediate upgrade is not feasible, disable the command line plugin or avoid processing untrusted input through it. 4) Implement rigorous input sanitization on all code blocks passed to the command line plugin, removing any embedded HTML or script tags before rendering. 5) Conduct security reviews and penetration testing focused on XSS vectors in affected applications. 6) Educate developers about safe usage patterns of PrismJS and the risks of client-side script injection. 7) Monitor web application logs and user reports for suspicious activity that could indicate attempted exploitation. These steps go beyond generic advice by emphasizing plugin-specific controls, version auditing, and input sanitization tailored to the PrismJS command line plugin context.