CVE-2020-15138
Cross-Site Scripting (XSS) vulnerability in prismjs (npm)
What is CVE-2020-15138 About?
This XSS vulnerability exists in the easing preview feature of the Prism Previewers plugin (>=v1.10.0 or Previewer: Easing v1.1.0 to v1.9.0). It allows attackers to execute arbitrary code in Safari and Internet Explorer browsers. The impact is client-side code execution, and it is moderately easy to exploit via malicious input being rendered by the affected plugin.
Affected Software
Technical Details
The Prism Previewers plugin (specifically the easing preview for versions >=v1.10.0, or Previewer: Easing v1.1.0 to v1.9.0) contains a Cross-Site Scripting (XSS) vulnerability. This vulnerability arises because user-controlled input, ostensibly related to easing function parameters or display, is not properly sanitized before being rendered into the HTML document. When this unsanitized input is processed by the plugin to generate the easing curve preview, it can contain malicious JavaScript. If a victim using Safari or Internet Explorer views a page displaying such a preview, the browser will execute the injected script within the context of the vulnerable website. This allows an attacker to bypass same-origin policy, steal cookies, deface the website, or perform other malicious actions on behalf of the user.
What is the Impact of CVE-2020-15138?
Successful exploitation may allow attackers to execute arbitrary client-side script code, leading to session hijacking, defacement of the affected website, or redirection to malicious sites.
What is the Exploitability of CVE-2020-15138?
Exploitation of this XSS vulnerability is of moderate complexity. An attacker needs to inject malicious HTML/JavaScript code into content that will be processed and rendered by the Prism Previewers plugin on a web page. There are no authentication or privilege requirements to trigger the XSS; the attacker only needs the ability to submit or influence content that is then displayed to a victim. This is a remote exploitation scenario, typically via a stored XSS (e.g., posting malicious content on a forum) or reflected XSS (e.g., tricking a user into clicking a malicious link that reflects input). The vulnerability specifically impacts Safari and Internet Explorer users. The primary prerequisites are the use of Prism >=v1.1.0 with the affected Previewers plugin and a mechanism for the attacker to supply unsanitized input to the plugin's rendering logic. The likelihood of exploitation is increased on sites that accept untrusted user-generated content and display code snippets with the Previewers plugin enabled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-15138?
About the Fix from Resolved Security
The patch removes the use of location.href in SVG marker URLs and uses fragment-only URLs (e.g., url(#prism-previewer-easing-marker)), preventing injection of attacker-controlled data into the SVG. This fixes CVE-2020-15138 by mitigating the risk of arbitrary JavaScript execution or information disclosure through maliciously crafted URLs.
Available Upgrade Options
- prismjs
- >1.1.0, <1.21.0 → Upgrade to 1.21.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
- https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
- https://prismjs.com/plugins/previewers/#disabling-a-previewer
- https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
- https://osv.dev/vulnerability/GHSA-wvhm-4hhf-97x9
- https://nvd.nist.gov/vuln/detail/CVE-2020-15138
- https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
- https://prismjs.com/plugins/previewers/#disabling-a-previewer
What are Similar Vulnerabilities to CVE-2020-15138?
Similar Vulnerabilities: CVE-2023-4585 , CVE-2023-3850 , CVE-2023-6490 , CVE-2023-35824 , CVE-2023-44287
