CVE-2020-15138 HIGH

CVE-2020-15138: Cross-Site Scripting in Prism

Vendor Prismjs

Product prism

Weakness CWE-79 · XSS

Published August 7, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

Key dates

02Disclosure timeline

August 7, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-15138

Related vulnerabilities

CVE-2020-15138: Cross-Site Scripting in Prism

01Description

02Disclosure timeline

03References

04Related CVE