Description
Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
Remediation
References
https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95
https://security.netapp.com/advisory/ntap-20210622-0005/
Related Vulnerabilities
CVE-2020-24750 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2017-1000486 Vulnerability in maven package org.primefaces:primefaces
CVE-2020-2243 Vulnerability in maven package org.jenkins-ci.plugins:vmanager-plugin
CVE-2016-4465 Vulnerability in maven package org.apache.struts.xwork:xwork-core
CVE-2017-2603 Vulnerability in maven package org.jenkins-ci.main:jenkins-core