{"containers": {"cna": {"affected": [{"product": "prism", "vendor": "PrismJS", "versions": [{"status": "affected", "version": ">= 1.1.0, < 1.21.0"}]}], "descriptions": [{"lang": "en", "value": "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-07T16:30:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"tags": ["x_refsource_MISC"], "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}], "source": {"advisory": "GHSA-wvhm-4hhf-97x9", "discovery": "UNKNOWN"}, "title": "Cross-Site Scripting in Prism", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15138", "STATE": "PUBLIC", "TITLE": "Cross-Site Scripting in Prism"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "prism", "version": {"version_data": [{"version_value": ">= 1.1.0, < 1.21.0"}]}}]}, "vendor_name": "PrismJS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", "refsource": "CONFIRM", "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"name": "https://prismjs.com/plugins/previewers/#disabling-a-previewer", "refsource": "MISC", "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}, {"name": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", "refsource": "MISC", "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}]}, "source": {"advisory": "GHSA-wvhm-4hhf-97x9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.948Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15138", "datePublished": "2020-08-07T16:30:14", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.948Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFDA34B4-65B4-41A5-AC22-667C8D8FF4B7", "vulnerable": false}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*", "matchCriteriaId": "C37BA825-679F-4257-9F2B-CE2318B75396", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:prismjs:previewers:*:*:*:*:*:prismjs:*:*", "matchCriteriaId": "066FA9AE-722F-4905-8084-A42449E0A243", "versionEndExcluding": "1.21.0", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround."}, {"lang": "es", "value": "Prism es vulnerable a un ataque de tipo Cross-Site Scripting. La vista previa simplificada del plugin Previewers presenta una vulnerabilidad de tipo XSS que permite a atacantes ejecutar c\u00f3digo arbitrario en Safari e Internet Explorer. Esto afecta a todos los usuarios de Safari e Internet Explorer de Prism versiones posteriores a v1.1.0 e incluy\u00e9ndola, que utilizan el plugin _Previewers_ (versiones posteriores a v1.10.0 e incluy\u00e9ndola) o el plugin _Previewer: Easing_ (versiones v1.1.0 hasta v1.9.0). Este problema es corregido en la versi\u00f3n 1.21.0. Para solucionar el problema sin actualizar, desactive la vista previa simplificada en todos los bloques de c\u00f3digo afectados. Necesita Prism versi\u00f3n v1.10.0 o m\u00e1s reciente para aplicar esta soluci\u00f3n"}], "id": "CVE-2020-15138", "lastModified": "2020-08-28T17:06:10.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.3, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-08-07T17:15:10.450", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://prismjs.com/plugins/previewers/#disabling-a-previewer"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs-prismjs: xss vulnerability that allows attackers to execute arbitrary code", "id": "1867581", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1867581"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.", "A flaw was found in nodejs-prismjs. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code."], "name": "CVE-2020-15138", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-08-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15138\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15138\nhttps://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9"], "statement": "While the grafana containers in OpenShift and ServiceMesh contain the prismjs plugin, they don't package the vulnerable previewer plugin and hence are not affected.\nThe grafana containers in Ceph 3 contain the prismjs plugin, but do not package the vulnerable previewer plugin and are not affected.", "threat_severity": "Moderate", "upstream_fix": "nodejs-prismjs 1.21.0"}