Cross-Site Scripting in Prism (GHSA-wvhm-4hhf-97x9)

Severity:: High

Description

The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

This impacts all Safari and Internet Explorer users of Prism >=v1.1.0 that use the Previewers plugin (>=v1.10.0) or the Previewer: Easing plugin (v1.1.0 to v1.9.0).

Recommendation

Update the prismjs package to the latest compatible version. Followings are version details:

Affected version(s): >= 1.1.0, < 1.21.0
Patched version(s): 1.21.0

References

GHSA-wvhm-4hhf-97x9
prismjs.com
CVE-2020-15138
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Cross-site scripting in jspdf (GHSA-vh59-v9r5-4mh4) - CVE-2020-7690
Cross-site scripting in Joplin (GHSA-q26w-wjj2-22vv) - CVE-2020-28249
Cross-site Scripting in Joplin (GHSA-6r7x-hc8m-985r) - CVE-2020-9038
Cross-site Scripting in dompurify (GHSA-63q7-h895-m982) - CVE-2020-26870

Tags:: npm; prismjs

Anything's wrong? Let us know Last updated on January 09, 2023