GHSA-8j65-4pcq-xq95

Source

https://github.com/advisories/GHSA-8j65-4pcq-xq95

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-8j65-4pcq-xq95/GHSA-8j65-4pcq-xq95.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8j65-4pcq-xq95

Aliases

CVE-2021-29489

Related

CVE-2021-29489

Published

2021-05-06T15:45:03Z

Modified

2023-11-08T04:05:35.657671Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

Options structure open to Cross-site Scripting if passed unfiltered

Details

Impact

In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.

If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.

Patches

In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.

Workarounds

Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

References

Details on the improved Highcharts security
The AST and TextBuilder refactoring
The fix for prototype pollution

For more information

If you have any questions or comments about this advisory: * Visit our support page * For more Email us at security@highcharts.com

Database specific

{
    "nvd_published_at": "2021-05-05T16:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T15:37:11Z"
}

References

Affected packages

npm / highcharts

Package

Name: highcharts; View open source insights on deps.dev
Purl: pkg:npm/highcharts

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.0