Plataforma
nodejs
Componente
highcharts
Corrigido em
9.0.1
9.0.0
CVE-2021-29489 is a Cross-Site Scripting (XSS) vulnerability affecting Highcharts versions 8 and earlier. This flaw arises from inadequate filtering of chart options, allowing potentially malicious HTML or JavaScript code to be injected and executed within a user's browser. The vulnerability is particularly concerning when the useHTML flag is enabled, as it permits the direct insertion of unfiltered HTML strings into the Document Object Model (DOM). A fix is available in version 9.0.0.
CVE-2021-29489 in Highcharts (versions 8 and earlier) allows for Cross-Site Scripting (XSS) attacks due to a lack of systematic filtering of chart configuration options. This means an attacker could inject malicious code into a Highcharts chart, which would then execute in the end user's browser. The risk is particularly high when using the useHTML option, as it allows for the direct insertion of unfiltered HTML strings into the DOM. Even when useHTML is false, malicious code can be inserted by using various character replacement tricks or malformed HTML. This vulnerability could be exploited to steal sensitive information, redirect users to malicious websites, or perform other unauthorized actions on behalf of the user.
An attacker could exploit this vulnerability by injecting malicious JavaScript code into the configuration of a Highcharts chart. This could be achieved through a variety of methods, such as manipulating input data, injecting code into a database, or exploiting a vulnerability in a web application that uses Highcharts. Once the malicious code has been injected, it will execute in the end user's browser when the chart is loaded, allowing the attacker to steal sensitive information or perform other malicious actions.
Status do Exploit
EPSS
0.20% (percentil 42%)
Vetor CVSS
The solution to mitigate CVE-2021-29489 is to upgrade to Highcharts version 9.0.0 or later. This version includes the necessary fixes to properly filter chart configuration options and prevent malicious code injection. Additionally, it is recommended to carefully validate and escape any user-provided data that is used in chart configuration. Avoid using useHTML unless absolutely necessary and you are certain the HTML content is from a trusted source. Implement Content Security Policies (CSP) to restrict the sources of scripts that can be executed on your website.
Actualice Highcharts JS a la versión 9.0.0 o superior. Si no puede actualizar, aplique DOMPurify recursivamente a la estructura de opciones del gráfico para filtrar el marcado malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Updating to the latest version of Highcharts fixes this vulnerability and protects your users from XSS attacks.
If you can't update immediately, implement mitigation measures such as input data validation and escaping, and implementing CSP.
Perform a security audit of your website or use vulnerability scanning tools to identify potential XSS vulnerabilities.
CSP (Content Security Policy) is a security layer that helps prevent XSS attacks by restricting the sources of content that the browser can load.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.