Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0.
References
Link | Resource |
---|---|
https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 | Patch |
https://github.com/vega/vega/releases/tag/v5.23.0 | Release Notes |
https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55 | Exploit Third Party Advisory |
https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 | Patch |
https://github.com/vega/vega/releases/tag/v5.23.0 | Release Notes |
https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:51
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
References | () https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 - Patch | |
References | () https://github.com/vega/vega/releases/tag/v5.23.0 - Release Notes | |
References | () https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55 - Exploit, Third Party Advisory |
07 Nov 2023, 04:09
Type | Values Removed | Values Added |
---|---|---|
Summary | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0. |
Information
Published : 2023-03-04 00:15
Updated : 2024-11-21 07:51
NVD link : CVE-2023-26487
Mitre link : CVE-2023-26487
CVE.ORG link : CVE-2023-26487
JSON object : View
Products Affected
vega-functions_project
- vega-functions
vega_project
- vega
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')