CVE-2020-15138 — Cross-site Scripting in Previewers

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

7.5HIGHNVD

CNA7.1

EPSS

0.9%

top 24.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Prismjs Previewers Prismjs Prism

Timeline

PublishedAug 7

Latest updateAug 10

Description

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code bloc…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:LExploitability: 1.6 | Impact: 5.3

Affected Packages2 packages

▶NVDprismjs/previewers1.1.0 — 1.21.0

▶CVEListV5prismjs/prism>= 1.1.0, < 1.21.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-Site Scripting in Prism↗2020-08-07

▶

GHSA

Cross-Site Scripting in Prism↗2020-08-07

▶

CVEList

Cross-Site Scripting in Prism↗2020-08-07

▶

OSV

CVE-2020-15138: Prism is vulnerable to Cross-Site Scripting↗2020-08-07

▶

📋Vendor Advisories

Red Hat

nodejs-prismjs: xss vulnerability that allows attackers to execute arbitrary code↗2020-08-07

▶

Debian

CVE-2020-15138: node-prismjs - Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewer...↗2020

▶

💬Community

Bugzilla

CVE-2020-15138 nodejs-prismjs: xss vulnerability that allows attackers to execute arbitrary code↗2020-08-10

▶