Skip to content

XSS vulnerability in the Previewers plugin

High
RunDevelopment published GHSA-wvhm-4hhf-97x9 Aug 6, 2020

Package

npm prismjs (npm)

Affected versions

>=1.1.0 <1.21.0

Patched versions

1.21.0

Description

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

Severity

High

CVE ID

CVE-2020-15138

Weaknesses

No CWEs

Credits