CVE-2021-29489

EUVD-2021-1014

05.05.2021, 16:15

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.6 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
GitHub_M	CNA	7.6 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Affected Products (NVD)

Vendor	Product	Version
highcharts	highcharts	𝑥 < 9.0.0
netapp	cloud_backup	-
netapp	oncommand_insight	-
netapp	oncommand_workflow_automation	-
netapp	snapcenter	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95

https://security.netapp.com/advisory/ntap-20210622-0005/

https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95

https://security.netapp.com/advisory/ntap-20210622-0005/