GHSA-wvhm-4hhf-97x9

Suggest an improvement
Source
https://github.com/advisories/GHSA-wvhm-4hhf-97x9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-wvhm-4hhf-97x9/GHSA-wvhm-4hhf-97x9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-wvhm-4hhf-97x9
Aliases
Related
Published
2020-08-07T22:28:30Z
Modified
2026-01-30T02:02:26.503346Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Cross-Site Scripting in Prism
Details

Impact

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Patches

This problem is patched in v1.21.0.

Workarounds

To workaround the issue without upgrading, disable the easing preview on all impacted code blocks. You need Prism v1.10.0 or newer to apply this workaround.

References

The vulnerability was introduced by this commit on Sep 29, 2015 and fixed by Masato Kinugawa (#2506).

For more information

If you have any questions or comments about this advisory, please open an issue.

Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2020-08-07T16:19:07Z"
}
References

Affected packages

npm / prismjs

Package

Name
prismjs
View open source insights on deps.dev
Purl
pkg:npm/prismjs

Affected ranges

Type
SEMVER
Events
Introduced
1.1.0
Fixed
1.21.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-wvhm-4hhf-97x9/GHSA-wvhm-4hhf-97x9.json"