Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
References
Link | Resource |
---|---|
https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20210622-0005/ | Third Party Advisory |
https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20210622-0005/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
21 Nov 2024, 06:01
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 7.6 |
References | () https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95 - Third Party Advisory | |
References | () https://security.netapp.com/advisory/ntap-20210622-0005/ - Third Party Advisory |
Information
Published : 2021-05-05 16:15
Updated : 2024-11-21 06:01
NVD link : CVE-2021-29489
Mitre link : CVE-2021-29489
CVE.ORG link : CVE-2021-29489
JSON object : View
Products Affected
netapp
- cloud_backup
- oncommand_insight
- snapcenter
- oncommand_workflow_automation
highcharts
- highcharts
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')