CVE-2020-15138

HIGH EPSS 78.7%
Published Aug 7, 20205y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Aug 7, 2020 5y ago
Last Modified Jun 17, 2026 2w ago

Description

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

CVSS Details

Base Score
7.5
Exploitability
1.6
Impact
5.3
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
78.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 3

VendorProductVersionRange
prismjspreviewers*≥1.1.0  –  <1.21.0
applesafari*any
microsoftinternet_explorer*any

References 3

  • github.com https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
    PatchThird Party Advisory
  • github.com https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
    Third Party Advisory
  • prismjs.com https://prismjs.com/plugins/previewers/#disabling-a-previewer
    Vendor Advisory

Remediation

  • github.com https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
    PatchThird Party Advisory