CVE-2021-29489

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-29489

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29489.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-29489

Aliases

GHSA-8j65-4pcq-xq95

Related

GHSA-8j65-4pcq-xq95

Published

2021-05-05T16:15:08.023Z

Modified

2026-03-14T14:58:17.262613Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

References

Affected packages

Git / github.com/highcharts/highcharts

Affected ranges

Type

GIT

Repo

https://github.com/highcharts/highcharts

Events

Introduced

Fixed

ea08706707c0532d71e0398b93ec9bc331c8a28e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.0.0"
        }
    ]
}

Affected versions

Other

hc6/master-tag

highmaps-v1.*

highmaps-v1.0.2

highmaps-v1.1.0

highmaps-v1.1.10

highmaps-v1.1.5

highmaps-v1.1.6

highmaps-v1.1.8

highmaps-v1.1.9

highmaps-v2.*

highmaps-v2.1.3

highstock-v1.*

highstock-v1.0.1

highstock-v1.0.2

highstock-v1.1.0

highstock-v1.1.1

highstock-v1.1.2

highstock-v1.1.3

highstock-v1.1.4

highstock-v1.1.5

highstock-v1.1.6

highstock-v1.2.0

highstock-v1.2.2

highstock-v1.2.3

highstock-v1.2.4

highstock-v1.2.5

highstock-v1.3.0

highstock-v1.3.1

highstock-v1.3.2

highstock-v1.3.3

highstock-v1.3.4

highstock-v1.3.5

highstock-v1.3.6

highstock-v1.3.7

highstock-v1.3.8

highstock-v1.3.9

highstock-v2.*

highstock-v2.0.0

highstock-v2.0.1

highstock-v2.1.0

highstock-v2.1.10

highstock-v2.1.3

highstock-v2.1.5

highstock-v2.1.6

highstock-v2.1.8

highstock-v2.1.9

v2.*

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v2.2.4

v2.2.5

v2.3.0

v2.3.2

v2.3.3

v2.3.5

v2.3Beta

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.0Beta

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.1.10

v4.1.3

v4.1.5

v4.1.6

v4.1.8

v4.1.9

v4.2.0

v4.2.1

v4.2.3

v4.2.4

v4.2.6

v4.2.7

v5.*

v5.0.0

v5.0.10

v5.0.11

v5.0.12

v5.0.13

v5.0.14

v5.0.2

v5.0.3

v5.0.5

v5.0.7

v5.0.9

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.6

v6.0.7

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.2.0

v7.*

v7.0.1

v7.0.2

v7.0.3

v7.1.0

v7.1.2

v7.2.0

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.1.0

v8.1.1

v8.1.2

v8.2.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29489.json"