CVE-2021-29489 Information

Description

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user’s browser. The vulnerability is patched in version 9. As a workaround implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95 https://security.netapp.com/advisory/ntap-20210622-0005/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4