Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXd2aG0tNGhoZi05N3g5

Cross-Site Scripting in Prism

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

Permalink: https://github.com/advisories/GHSA-wvhm-4hhf-97x9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXd2aG0tNGhoZi05N3g5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: about 2 years ago

CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

EPSS Percentage: 0.00362
EPSS Percentile: 0.71997

Identifiers: GHSA-wvhm-4hhf-97x9, CVE-2020-15138
References:

• https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
• https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
• https://prismjs.com/plugins/previewers/#disabling-a-previewer
• https://nvd.nist.gov/vuln/detail/CVE-2020-15138
• https://github.com/advisories/GHSA-wvhm-4hhf-97x9

Repository: https://github.com/PrismJS/prism
Blast Radius: 37.9

Affected Packages