High severityNVD Advisory· Published May 5, 2021· Updated Aug 3, 2024
Options structure open to XSS if passed unfiltered
CVE-2021-29489
Description
Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
highchartsnpm | < 9.0.0 | 9.0.0 |
Affected products
2- Range: < 9.0.0
Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-8j65-4pcq-xq95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29489ghsaADVISORY
- github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20210622-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210622-0005/mitrex_refsource_CONFIRM
- www.npmjs.com/package/highchartsghsaWEB
News mentions
0No linked articles in our index yet.