CVE-2021-29489

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
Configurations

Configuration 1 (hide)

cpe:2.3:a:highcharts:highcharts:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:01

Type Values Removed Values Added
CVSS v2 : 3.5
v3 : 5.4
v2 : 3.5
v3 : 7.6
References () https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95 - Third Party Advisory () https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95 - Third Party Advisory
References () https://security.netapp.com/advisory/ntap-20210622-0005/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20210622-0005/ - Third Party Advisory

Information

Published : 2021-05-05 16:15

Updated : 2024-11-21 06:01


NVD link : CVE-2021-29489

Mitre link : CVE-2021-29489

CVE.ORG link : CVE-2021-29489


JSON object : View

Products Affected

netapp

  • cloud_backup
  • oncommand_insight
  • snapcenter
  • oncommand_workflow_automation

highcharts

  • highcharts
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')