Skip to content

Cross-Site Scripting in Prism

high severity Published Aug 7, 2020 in PrismJS/prism • Updated Jan 7, 2021

Package

npm prismjs (npm)

Affected versions

>= 1.1.0, < 1.21.0

Patched versions

1.21.0

Description

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

References

@RunDevelopment RunDevelopment published the maintainer security advisory Aug 6, 2020

CVE ID

CVE-2020-15138

CVSS Score

7.1 High
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Credits