CVE-2020-15138

Опубликовано: 07 авг. 2020

Источник: nvd

CVSS3: 7.1

CVSS3: 7.5

CVSS2: 2.6

EPSS Низкий

Описание

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

Ссылки

https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
Patch
Third Party Advisory
https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
Third Party Advisory
https://prismjs.com/plugins/previewers/#disabling-a-previewer
Vendor Advisory
https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
Patch
Third Party Advisory
https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
Third Party Advisory
https://prismjs.com/plugins/previewers/#disabling-a-previewer
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:prismjs:previewers:*:*:*:*:*:prismjs:*:*

Версия от 1.1.0 (включая) до 1.21.0 (исключая)

Одно из

cpe:2.3:a:apple:safari:-:*:*:*:*:*:*:*

cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*

EPSS

Процентиль: 75%

0.00864

Низкий

7.1 High

CVSS3

7.5 High

CVSS3

2.6 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2020-15138

CVSS3: 7.1

ubuntu

больше 5 лет назад

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

CVE-2020-15138

CVSS3: 7.5

redhat

больше 5 лет назад

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

CVE-2020-15138

CVSS3: 7.1

debian

больше 5 лет назад

Prism is vulnerable to Cross-Site Scripting. The easing preview of the ...

GHSA-wvhm-4hhf-97x9

CVSS3: 7.1

github

больше 5 лет назад

Cross-Site Scripting in Prism

EPSS

Процентиль: 75%

0.00864

Низкий

7.1 High

CVSS3

7.5 High

CVSS3

2.6 Low

CVSS2

Дефекты

CWE-79