Moderate severityOSV Advisory· Published Feb 9, 2021· Updated Sep 17, 2024

Cross-site Scripting (XSS)

CVE-2021-23327

Description

The package apexcharts before 3.24.0 are vulnerable to Cross-site Scripting (XSS) via lack of sanitization of graph legend fields.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
apexchartsnpm	< 3.24.0	3.24.0

Affected products

Apexcharts/Apexcharts.jsOSV
Range: 3.0.0, 3.10.0, 3.21.0, …

Patches

68f3f34d1257

Merge pull request #2158 from 418sec/1-npm-apexcharts

https://github.com/apexcharts/apexcharts.jsJuned ChhipaJan 14, 2021via ghsa

commit

3 files changed · +29 −10

src/modules/legend/Legend.js+1 −1 modified

@@ -189,7 +189,7 @@ class Legend {
 
       let elLegendText = document.createElement('span')
       elLegendText.classList.add('apexcharts-legend-text')
-      elLegendText.innerHTML = Array.isArray(text) ? text.join(' ') : text
+      elLegendText.innerHTML = Array.isArray(text) ? Utils.sanitizeDom(text.join(' ')) : Utils.sanitizeDom(text)
 
       let textColor = w.config.legend.labels.useSeriesColors
         ? w.globals.colors[i]

src/modules/tooltip/Labels.js+9 −3 modified

@@ -1,6 +1,7 @@
 import Formatters from '../Formatters'
 import DateTime from '../../utils/DateTime'
 import Utils from './Utils'
+import Utilities from '../../utils/Utils'
 
 /**
  * ApexCharts Tooltip.Labels Class to draw texts on the tooltip.
@@ -165,14 +166,14 @@ export default class Labels {
       if (w.globals.yLabelFormatters[0]) {
         yLbFormatter = w.globals.yLabelFormatters[0]
       } else {
-        yLbFormatter = function(label) {
+        yLbFormatter = function (label) {
           return label
         }
       }
     }
 
     if (typeof yLbTitleFormatter !== 'function') {
-      yLbTitleFormatter = function(label) {
+      yLbTitleFormatter = function (label) {
         return label
       }
     }
@@ -197,6 +198,11 @@ export default class Labels {
     const w = this.w
     const ttCtx = this.ttCtx
 
+    Object.keys(values).forEach(key => {
+      if (typeof values[key] == 'string')
+        values[key] = Utilities.sanitizeDom(values[key])
+    })
+
     const { val, xVal, xAxisTTVal, zVal } = values
 
     let ttItemsChildren = null
@@ -225,7 +231,7 @@ export default class Labels {
 
     const ttYLabel = ttItems[t].querySelector('.apexcharts-tooltip-text-label')
     if (ttYLabel) {
-      ttYLabel.innerHTML = seriesName ? seriesName : ''
+      ttYLabel.innerHTML = seriesName ? Utilities.sanitizeDom(seriesName) : ''
     }
     const ttYVal = ttItems[t].querySelector('.apexcharts-tooltip-text-value')
     if (ttYVal) {

src/utils/Utils.js+19 −6 modified

@@ -4,7 +4,7 @@
 
 class Utils {
   static bind(fn, me) {
-    return function() {
+    return function () {
       return fn.apply(me, arguments)
     }
   }
@@ -28,8 +28,8 @@ class Utils {
   // credit: http://stackoverflow.com/questions/27936772/deep-object-merging-in-es6-es7#answer-34749873
   static extend(target, source) {
     if (typeof Object.assign !== 'function') {
-      ;(function() {
-        Object.assign = function(target) {
+      ; (function () {
+        Object.assign = function (target) {
           'use strict'
           // We must check against these specific cases.
           if (target === undefined || target === null) {
@@ -218,9 +218,9 @@ class Utils {
     )
     return rgb && rgb.length === 4
       ? '#' +
-          ('0' + parseInt(rgb[1], 10).toString(16)).slice(-2) +
-          ('0' + parseInt(rgb[2], 10).toString(16)).slice(-2) +
-          ('0' + parseInt(rgb[3], 10).toString(16)).slice(-2)
+      ('0' + parseInt(rgb[1], 10).toString(16)).slice(-2) +
+      ('0' + parseInt(rgb[2], 10).toString(16)).slice(-2) +
+      ('0' + parseInt(rgb[3], 10).toString(16)).slice(-2)
       : ''
   }
 
@@ -380,6 +380,19 @@ class Utils {
     // other browser
     return false
   }
+
+  /**
+   * Sanitize dangerous characters in the string to prevent Cross-Site Scripting
+   * @param {string}
+   * string - String to sanitize
+   */
+  static sanitizeDom(string) {
+    return string
+      .replace(/\&/g, '&amp;')
+      .replace(/\</g, '&lt;')
+      .replace(/\>/g, '&gt;')
+      .replace(/\"/g, '&quot;')
+  }
 }
 
 export default Utils

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w46j-8hm6-h8mmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-23327ghsaADVISORY
github.com/apexcharts/apexcharts.js/commit/68f3f34d125719b4767614fe0a595cc65bde1d19ghsax_refsource_MISCWEB
github.com/apexcharts/apexcharts.js/pull/2158ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1070616ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-APEXCHARTS-1062708ghsax_refsource_MISCWEB
www.npmjs.com/package/apexchartsghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000