logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-29489 highcharts

Package

Manager: npm
Name: highcharts
Vulnerable Version: >=0 <9.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00227 pctl0.45402

Details

Options structure open to Cross-site Scripting if passed unfiltered ### Impact In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the `useHTML` flag, HTML string options would be inserted unfiltered directly into the DOM. When `useHTML` was false, malicious code could be inserted by using various character replacement tricks or malformed HTML. If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted. ### Patches In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped. ### Workarounds Implementers who are not able to upgrade may apply [DOMPurify](https://github.com/cure53/DOMPurify) recursively [to the options structure](https://jsfiddle.net/highcharts/zd3wcm5L/) to filter out malicious markup. ### References * Details on the improved [Highcharts security](https://www.highcharts.com/docs/chart-concepts/security) * [The AST and TextBuilder refactoring](https://github.com/highcharts/highcharts/pull/14913) * [The fix for prototype pollution](https://github.com/highcharts/highcharts/pull/14884) ### For more information If you have any questions or comments about this advisory: * Visit our [support page](https://www.highcharts.com/blog/support/) * For more Email us at [security@highcharts.com](mailto:security@highcharts.com)

Metadata

Created: 2021-05-06T15:45:03Z
Modified: 2022-06-06T18:17:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-8j65-4pcq-xq95/GHSA-8j65-4pcq-xq95.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8j65-4pcq-xq95
Finding: F008
Auto approve: 1