5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
In highcharts
versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user’s browser. Especially when using the useHTML
flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML
was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.
If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.
In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.
Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
If you have any questions or comments about this advisory:
Upgrade to version 9.0.0 or later
CPE | Name | Operator | Version |
---|---|---|---|
highcharts | lt | 9.0.0 |
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N