CVE-2020-15138

Published: 07 August 2020

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
node-prismjs
Launchpad, Ubuntu, Debian
Upstream
Released (1.21.0)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(1.11.0+dfsg-4)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.11.0+dfsg-4)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.11.0+dfsg-4)
Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist