Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqNjUtNHBjcS14cTk1
Options structure open to Cross-site Scripting if passed unfiltered
Impact
In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.
If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.
Patches
In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.
Workarounds
Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
References
- Details on the improved Highcharts security
- The AST and TextBuilder refactoring
- The fix for prototype pollution
For more information
If you have any questions or comments about this advisory:
- Visit our support page
- For more Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqNjUtNHBjcS14cTk1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 7.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Percentage: 0.0005
EPSS Percentile: 0.21539
Identifiers: GHSA-8j65-4pcq-xq95, CVE-2021-29489
References:
- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95
- https://nvd.nist.gov/vuln/detail/CVE-2021-29489
- https://www.npmjs.com/package/highcharts
- https://security.netapp.com/advisory/ntap-20210622-0005/
- https://github.com/advisories/GHSA-8j65-4pcq-xq95
Blast Radius: 32.1
Affected Packages
npm:highcharts
Dependent packages: 945Dependent repositories: 16,723
Downloads: 3,699,777 last month
Affected Version Ranges: < 9.0.0
Fixed in: 9.0.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 4.1.10, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.2, 8.2.0, 8.2.2
All unaffected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 11.0.0, 11.0.1, 11.1.0, 11.2.0, 11.3.0, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2