Vulnerabilites related to prismjs - previewers
Vulnerability from fkie_nvd
Published
2020-08-07 17:15
Modified
2024-11-21 05:04
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
Summary
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| prismjs | previewers | * | |
| apple | safari | - | |
| microsoft | internet_explorer | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:prismjs:previewers:*:*:*:*:*:prismjs:*:*", matchCriteriaId: "066FA9AE-722F-4905-8084-A42449E0A243", versionEndExcluding: "1.21.0", versionStartIncluding: "1.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:apple:safari:-:*:*:*:*:*:*:*", matchCriteriaId: "AFDA34B4-65B4-41A5-AC22-667C8D8FF4B7", vulnerable: false, }, { criteria: "cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*", matchCriteriaId: "C37BA825-679F-4257-9F2B-CE2318B75396", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.", }, { lang: "es", value: "Prism es vulnerable a un ataque de tipo Cross-Site Scripting. La vista previa simplificada del plugin Previewers presenta una vulnerabilidad de tipo XSS que permite a atacantes ejecutar código arbitrario en Safari e Internet Explorer. Esto afecta a todos los usuarios de Safari e Internet Explorer de Prism versiones posteriores a v1.1.0 e incluyéndola, que utilizan el plugin _Previewers_ (versiones posteriores a v1.10.0 e incluyéndola) o el plugin _Previewer: Easing_ (versiones v1.1.0 hasta v1.9.0). Este problema es corregido en la versión 1.21.0. Para solucionar el problema sin actualizar, desactive la vista previa simplificada en todos los bloques de código afectados. Necesita Prism versión v1.10.0 o más reciente para aplicar esta solución", }, ], id: "CVE-2020-15138", lastModified: "2024-11-21T05:04:55.517", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.5, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.3, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-08-07T17:15:10.450", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2020-15138
Vulnerability from cvelistv5
Published
2020-08-07 16:30
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9 | x_refsource_CONFIRM | |
| https://prismjs.com/plugins/previewers/#disabling-a-previewer | x_refsource_MISC | |
| https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T13:08:21.948Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "prism", vendor: "PrismJS", versions: [ { status: "affected", version: ">= 1.1.0, < 1.21.0", }, ], }, ], descriptions: [ { lang: "en", value: "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-08-07T16:30:14", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { tags: [ "x_refsource_MISC", ], url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, ], source: { advisory: "GHSA-wvhm-4hhf-97x9", discovery: "UNKNOWN", }, title: "Cross-Site Scripting in Prism", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2020-15138", STATE: "PUBLIC", TITLE: "Cross-Site Scripting in Prism", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "prism", version: { version_data: [ { version_value: ">= 1.1.0, < 1.21.0", }, ], }, }, ], }, vendor_name: "PrismJS", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", refsource: "CONFIRM", url: "https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9", }, { name: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", refsource: "MISC", url: "https://prismjs.com/plugins/previewers/#disabling-a-previewer", }, { name: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", refsource: "MISC", url: "https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c", }, ], }, source: { advisory: "GHSA-wvhm-4hhf-97x9", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2020-15138", datePublished: "2020-08-07T16:30:14", dateReserved: "2020-06-25T00:00:00", dateUpdated: "2024-08-04T13:08:21.948Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }