MidnightBSD

Advisories for highcharts

CVE-2018-20801 MEDIUM

In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-185,

Products Affected

Vendor Product Version
highcharts highcharts *
CVE-2021-29489 LOW

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
security-advisories@github.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L 2.8 4.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
netapp cloud_backup -
netapp oncommand_insight -
netapp oncommand_workflow_automation -
netapp snapcenter -
highcharts highcharts *