CVE-2020-15138 : Security Advisory and Response
PrismJS version >= 1.1.0 and < 1.21.0 is vulnerable to Cross-Site Scripting. Learn about the impact on Safari and Internet Explorer users, exploitation mechanism, and mitigation steps.
Prism is vulnerable to Cross-Site Scripting, impacting Safari and Internet Explorer users. The vulnerability lies in the easing preview of the Previewers plugin.
Understanding CVE-2020-15138
PrismJS, specifically versions >= 1.1.0 and < 1.21.0, is affected by a Cross-Site Scripting vulnerability.
What is CVE-2020-15138?
PrismJS, a syntax highlighter, is susceptible to a Cross-Site Scripting vulnerability due to an XSS issue in the easing preview of the Previewers plugin.
The Impact of CVE-2020-15138
- Attackers can execute arbitrary code in Safari and Internet Explorer through the vulnerability.
- Users of Prism >=v1.1.0 utilizing the Previewers plugin (>=v1.10.0) or Previewer: Easing plugin (v1.1.0 to v1.9.0) are affected.
Technical Details of CVE-2020-15138
PrismJS version >= 1.1.0 and < 1.21.0 is affected by this Cross-Site Scripting vulnerability.
Vulnerability Description
- The easing preview of the Previewers plugin in PrismJS allows for the execution of arbitrary code.
Affected Systems and Versions
- All Safari and Internet Explorer users of Prism >=v1.1.0 are impacted.
Exploitation Mechanism
- Attackers can exploit the vulnerability by leveraging the XSS issue in the easing preview of the Previewers plugin.
Mitigation and Prevention
To address the CVE-2020-15138 vulnerability in Prism, consider the following:
Immediate Steps to Take
- Upgrade to version 1.21.0 of Prism to fix the issue.
- Alternatively, disable the easing preview on all affected code blocks if upgrading is not immediately possible.
Long-Term Security Practices
- Regularly update PrismJS to the latest version to ensure all security patches are applied.
Patching and Updates
- Stay informed about security advisories and promptly apply patches released by PrismJS.