OpenCVE

Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Safari
Microsoft	Internet Explorer
Prismjs	Previewers

Configuration 1 [-]

AND

cpe:2.3:a:prismjs:previewers:*:*:*:*:*:prismjs:*:*

OR	cpe:2.3:a:apple:safari:-:::::::*
	cpe:2.3:a:microsoft:internet_explorer:-:::::::*

No data.

References

Link	Providers
https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
https://nvd.nist.gov/vuln/detail/CVE-2020-15138
https://prismjs.com/plugins/previewers/#disabling-a-previewer
https://www.cve.org/CVERecord?id=CVE-2020-15138

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-08-07T16:30:14

Updated: 2024-08-04T13:08:21.948Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15138

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-08-07T17:15:10.450

Modified: 2024-11-21T05:04:55.517

Link: CVE-2020-15138

Redhat

Severity : Moderate

Publid Date: 2020-08-07T00:00:00Z

Links: CVE-2020-15138 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "prism", "vendor": "PrismJS", "versions": [{"status": "affected", "version": ">= 1.1.0, < 1.21.0"}]}], "descriptions": [{"lang": "en", "value": "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-07T16:30:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"tags": ["x_refsource_MISC"], "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}], "source": {"advisory": "GHSA-wvhm-4hhf-97x9", "discovery": "UNKNOWN"}, "title": "Cross-Site Scripting in Prism", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15138", "STATE": "PUBLIC", "TITLE": "Cross-Site Scripting in Prism"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "prism", "version": {"version_data": [{"version_value": ">= 1.1.0, < 1.21.0"}]}}]}, "vendor_name": "PrismJS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", "refsource": "CONFIRM", "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"name": "https://prismjs.com/plugins/previewers/#disabling-a-previewer", "refsource": "MISC", "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}, {"name": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", "refsource": "MISC", "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}]}, "source": {"advisory": "GHSA-wvhm-4hhf-97x9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.948Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15138", "datePublished": "2020-08-07T16:30:14", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.948Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prismjs:previewers:*:*:*:*:*:prismjs:*:*", "matchCriteriaId": "066FA9AE-722F-4905-8084-A42449E0A243", "versionEndExcluding": "1.21.0", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFDA34B4-65B4-41A5-AC22-667C8D8FF4B7", "vulnerable": false}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*", "matchCriteriaId": "C37BA825-679F-4257-9F2B-CE2318B75396", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround."}, {"lang": "es", "value": "Prism es vulnerable a un ataque de tipo Cross-Site Scripting. La vista previa simplificada del plugin Previewers presenta una vulnerabilidad de tipo XSS que permite a atacantes ejecutar c\u00f3digo arbitrario en Safari e Internet Explorer. Esto afecta a todos los usuarios de Safari e Internet Explorer de Prism versiones posteriores a v1.1.0 e incluy\u00e9ndola, que utilizan el plugin _Previewers_ (versiones posteriores a v1.10.0 e incluy\u00e9ndola) o el plugin _Previewer: Easing_ (versiones v1.1.0 hasta v1.9.0). Este problema es corregido en la versi\u00f3n 1.21.0. Para solucionar el problema sin actualizar, desactive la vista previa simplificada en todos los bloques de c\u00f3digo afectados. Necesita Prism versi\u00f3n v1.10.0 o m\u00e1s reciente para aplicar esta soluci\u00f3n"}], "id": "CVE-2020-15138", "lastModified": "2024-11-21T05:04:55.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.3, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-07T17:15:10.450", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nodejs-prismjs: xss vulnerability that allows attackers to execute arbitrary code", "id": "1867581", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867581"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.", "A flaw was found in nodejs-prismjs. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code."], "name": "CVE-2020-15138", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-08-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15138\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15138\nhttps://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"], "statement": "While the grafana containers in OpenShift and ServiceMesh contain the prismjs plugin, they don't package the vulnerable previewer plugin and hence are not affected.\nThe grafana containers in Ceph 3 contain the prismjs plugin, but do not package the vulnerable previewer plugin and are not affected.", "threat_severity": "Moderate", "upstream_fix": "nodejs-prismjs 1.21.0"}