CVE-2021-29489 HIGH

CVE-2021-29489: Options structure open to XSS if passed unfiltered

Vendor Highcharts
Product highcharts
Weakness CWE-79 · XSS
Published May 5, 2021
Last update August 3, 2024

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

Key dates

02Disclosure timeline

May 5, 2021 CVE published
August 3, 2024 Record updated