CVE-2020-15138

NameCVE-2020-15138
DescriptionPrism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the _Previewers_ plugin (>=v1.10.0) or the _Previewer: Easing_ plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs968094

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-prismjs (PTS)bullseye1.23.0+dfsg-1+deb11u2fixed
sid, trixie, bookworm1.29.0+dfsg+~1.26.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-prismjssource(unstable)1.11.0+dfsg-4968094

Notes

https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
https://github.com/PrismJS/prism/commit/8bba4880202ef6bd7a1e379fe9aebe69dd75f7be
Search for package or bug name: Reporting problems