CVE-2020-15138

Cross-Site Scripting in Prism

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

Prism es vulnerable a un ataque de tipo Cross-Site Scripting. La vista previa simplificada del plugin Previewers presenta una vulnerabilidad de tipo XSS que permite a atacantes ejecutar código arbitrario en Safari e Internet Explorer. Esto afecta a todos los usuarios de Safari e Internet Explorer de Prism versiones posteriores a v1.1.0 e incluyéndola, que utilizan el plugin _Previewers_ (versiones posteriores a v1.10.0 e incluyéndola) o el plugin _Previewer: Easing_ (versiones v1.1.0 hasta v1.9.0). Este problema es corregido en la versión 1.21.0. Para solucionar el problema sin actualizar, desactive la vista previa simplificada en todos los bloques de código afectados. Necesita Prism versión v1.10.0 o más reciente para aplicar esta solución

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-25 CVE Reserved
2020-07-30 First Exploit
2020-08-07 CVE Published
2024-07-31 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9	Third Party Advisory

URL	Date	SRC
https://github.com/ossf-cve-benchmark/CVE-2020-15138	2020-07-30

URL	Date	SRC
https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c	2020-08-28

URL	Date	SRC
https://prismjs.com/plugins/previewers/#disabling-a-previewer	2020-08-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Prismjs Search vendor "Prismjs"	Previewers Search vendor "Prismjs" for product "Previewers"	>= 1.1.0 < 1.21.0 Search vendor "Prismjs" for product "Previewers" and version " >= 1.1.0 < 1.21.0"	prismjs	Affected	in	Apple Search vendor "Apple"	Safari Search vendor "Apple" for product "Safari"	-	-	Safe
Prismjs Search vendor "Prismjs"	Previewers Search vendor "Prismjs" for product "Previewers"	>= 1.1.0 < 1.21.0 Search vendor "Prismjs" for product "Previewers" and version " >= 1.1.0 < 1.21.0"	prismjs	Affected	in	Microsoft Search vendor "Microsoft"	Internet Explorer Search vendor "Microsoft" for product "Internet Explorer"	-	-	Safe