CVE-2021-29489
Last modified
CVE-2021-29489 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. EPSS estimates a 0.87% chance of exploitation in the next 30 days.
Description
Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Highcharts | Highcharts | < 9.0.0 |
| Netapp | Cloud Backup | All versions |
| Netapp | Oncommand Insight | All versions |
| Netapp | Oncommand Workflow Automation | All versions |
| Netapp | Snapcenter | All versions |
References
- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210622-0005/Third Party Advisory
- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210622-0005/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-29489?
How severe is CVE-2021-29489?
How do I fix CVE-2021-29489?
Are you affected by CVE-2021-29489?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST