CVE-2020-15138
Last modified
CVE-2020-15138 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. EPSS estimates a 2.04% chance of exploitation in the next 30 days.
Description
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Prismjs | Previewers | >= 1.1.0, < 1.21.0 |
References
- https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20cPatch, Third Party Advisory
- https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9Third Party Advisory
- https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20cPatch, Third Party Advisory
- https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-15138?
How severe is CVE-2020-15138?
How do I fix CVE-2020-15138?
Are you affected by CVE-2020-15138?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST