Description

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

Remediation

References

CVE-2021-29489

Related Vulnerabilities

WordPress Plugin PHP Analytics Arbitrary File Upload (1.0.0.2)

WordPress Plugin FAQ Multiple Cross-Site Scripting Vulnerabilities (1.0.14)

MediaWiki Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vulnerability (CVE-2014-2243)

MySQL CVE-2021-2278 Vulnerability (CVE-2021-2278)

Contao Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2012-4383)

Severity

Medium

Classification

CVE-2021-29489 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities