CVE-2023-26487

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vega-functions_project:vega-functions:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vega_project:vega:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 07:51

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 6.5
References () https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 - Patch () https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 - Patch
References () https://github.com/vega/vega/releases/tag/v5.23.0 - Release Notes () https://github.com/vega/vega/releases/tag/v5.23.0 - Release Notes
References () https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55 - Exploit, Third Party Advisory () https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55 - Exploit, Third Party Advisory

07 Nov 2023, 04:09

Type Values Removed Values Added
Summary Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0. Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0.

Information

Published : 2023-03-04 00:15

Updated : 2024-11-21 07:51


NVD link : CVE-2023-26487

Mitre link : CVE-2023-26487

CVE.ORG link : CVE-2023-26487


JSON object : View

Products Affected

vega-functions_project

  • vega-functions

vega_project

  • vega
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')