Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdyNGotcjU3NS1nNjY1
Cross-Site Scripting in highcharts
Versions of highcharts
prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize href
values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdyNGotcjU3NS1nNjY1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: about 1 year ago
CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-gr4j-r575-g665
References:
- https://github.com/highcharts/highcharts/issues/13559
- https://snyk.io/vuln/SNYK-JS-HIGHCHARTS-571995
- https://github.com/highcharts/highcharts/commit/55c39dd55f12ce8dfab84f8ec13ad81423bee9f5
- https://github.com/advisories/GHSA-gr4j-r575-g665
Blast Radius: 36.7
Affected Packages
npm:highcharts
Dependent packages: 945Dependent repositories: 16,723
Downloads: 3,699,777 last month
Affected Version Ranges: >= 8.0.0, < 8.1.1, < 7.2.2
Fixed in: 8.1.1, 7.2.2
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 4.1.10, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0
All unaffected versions: 7.2.2, 8.1.1, 8.1.2, 8.2.0, 8.2.2, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 11.0.0, 11.0.1, 11.1.0, 11.2.0, 11.3.0, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.4.8, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.1.1, 12.1.2