Vulnerability Description
Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Highcharts | Highcharts | < 9.0.0 |
| Netapp | Cloud Backup | - |
| Netapp | Oncommand Insight | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Snapcenter | - |
Related Weaknesses (CWE)
References
- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210622-0005/Third Party Advisory
- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210622-0005/Third Party Advisory
FAQ
What is CVE-2021-29489?
CVE-2021-29489 is a vulnerability with a CVSS score of 7.6 (HIGH). Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was...
How severe is CVE-2021-29489?
CVE-2021-29489 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-29489?
Check the references section above for vendor advisories and patch information. Affected products include: Highcharts Highcharts, Netapp Cloud Backup, Netapp Oncommand Insight, Netapp Oncommand Workflow Automation, Netapp Snapcenter.