Description

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

Remediation

References

https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95

https://security.netapp.com/advisory/ntap-20210622-0005/

Related Vulnerabilities

CVE-2020-7740 Vulnerability in npm package node-pdf-generator

CVE-2021-21322 Vulnerability in npm package fastify-http-proxy

CVE-2021-40690 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2017-17485 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory NVD-CWE-noinfo