CVE-2021-29489
HIGHHighcharts < 9.0.0 - Stored Cross-Site Scripting via Chart Options Structure
Title source: llmDescription
Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210622-0005/
Scores
CVSS v3
7.6
EPSS
0.0020
EPSS Percentile
41.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Details
CWE
CWE-79
Status
published
Products (6)
highcharts/highcharts
< 9.0.0
netapp/cloud_backup
netapp/oncommand_insight
netapp/oncommand_workflow_automation
netapp/snapcenter
npm/highcharts
0 - 9.0.0npm
Published
May 05, 2021
Tracked Since
Feb 18, 2026