Candidate: CVE-2020-15138
PublicDate: 2020-08-07 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15138
 https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
 https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
 https://prismjs.com/plugins/previewers/#disabling-a-previewer
Description:
 Prism is vulnerable to Cross-Site Scripting. The easing preview of the
 Previewers plugin has an XSS vulnerability that allows attackers to execute
 arbitrary code in Safari and Internet Explorer. This impacts all Safari and
 Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin
 (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This
 problem is fixed in version 1.21.0. To workaround the issue without
 upgrading, disable the easing preview on all impacted code blocks. You need
 Prism v1.10.0 or newer to apply this workaround.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L [7.5 HIGH]


Patches_node-prismjs:
upstream_node-prismjs: released (1.21.0)
precise/esm_node-prismjs: DNE
trusty_node-prismjs: ignored (out of standard support)
trusty/esm_node-prismjs: DNE
xenial_node-prismjs: DNE
bionic_node-prismjs: DNE
focal_node-prismjs: needed
groovy_node-prismjs: not-affected (1.11.0+dfsg-4)
hirsute_node-prismjs: not-affected (1.11.0+dfsg-4)
impish_node-prismjs: not-affected (1.11.0+dfsg-4)
jammy_node-prismjs: not-affected (1.11.0+dfsg-4)
devel_node-prismjs: not-affected (1.11.0+dfsg-4)