GHSA-8J65-4PCQ-XQ95

Vulnerability from github – Published: 2021-05-06 15:45 – Updated: 2022-06-06 18:17
VLAI?
Summary
Options structure open to Cross-site Scripting if passed unfiltered
Details

Impact

In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.

If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.

Patches

In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.

Workarounds

Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

References

For more information

If you have any questions or comments about this advisory: * Visit our support page * For more Email us at security@highcharts.com

Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "highcharts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T15:37:11Z",
    "nvd_published_at": "2021-05-05T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. Especially when using the `useHTML` flag, HTML string options would be inserted unfiltered directly into the DOM. When `useHTML` was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.\n\nIf your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.\n\n### Patches\nIn version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.\n\n### Workarounds\nImplementers who are not able to upgrade may apply [DOMPurify](https://github.com/cure53/DOMPurify) recursively [to the options structure](https://jsfiddle.net/highcharts/zd3wcm5L/) to filter out malicious markup.\n\n### References\n* Details on the improved [Highcharts security](https://www.highcharts.com/docs/chart-concepts/security)\n* [The AST and TextBuilder refactoring](https://github.com/highcharts/highcharts/pull/14913)\n* [The fix for prototype pollution](https://github.com/highcharts/highcharts/pull/14884)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Visit our [support page](https://www.highcharts.com/blog/support/)\n* For more Email us at [security@highcharts.com](mailto:security@highcharts.com)\n",
  "id": "GHSA-8j65-4pcq-xq95",
  "modified": "2022-06-06T18:17:02Z",
  "published": "2021-05-06T15:45:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29489"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/highcharts/highcharts"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210622-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/highcharts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Options structure open to Cross-site Scripting if passed unfiltered"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.