Vulnerability Description
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Prismjs | Previewers | >= 1.1.0, < 1.21.0 |
| Apple | Safari | - |
| Microsoft | Internet Explorer | - |
Related Weaknesses (CWE)
References
- https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2PatchThird Party Advisory
- https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9Third Party Advisory
- https://prismjs.com/plugins/previewers/#disabling-a-previewerVendor Advisory
- https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2PatchThird Party Advisory
- https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9Third Party Advisory
- https://prismjs.com/plugins/previewers/#disabling-a-previewerVendor Advisory
FAQ
What is CVE-2020-15138?
CVE-2020-15138 is a vulnerability with a CVSS score of 7.1 (HIGH). Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This ...
How severe is CVE-2020-15138?
CVE-2020-15138 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15138?
Check the references section above for vendor advisories and patch information. Affected products include: Prismjs Previewers, Apple Safari, Microsoft Internet Explorer.