CVE-2021-29489
Cross-Site Scripting (XSS) vulnerability in highcharts (npm)
What is CVE-2021-29489 About?
This vulnerability in Highcharts allows for Cross-Site Scripting (XSS) due to insufficient filtering of chart options, affecting versions 8 and earlier. An attacker can inject malicious code into chart configurations, leading to client-side code execution in the end user's browser. Exploitation involves providing untrusted content that is then rendered by Highcharts.
Affected Software
Technical Details
In Highcharts versions 8 and earlier, the internal filtering mechanisms for chart options were inadequate to prevent Cross-Site Scripting (XSS). When content from untrusted sources was used to configure charts, malicious code could be injected. This was particularly problematic when the useHTML flag was enabled, as HTML string options were inserted directly into the DOM without proper sanitization. Even with useHTML set to false, attackers could employ character replacement tricks or malformed HTML to bypass existing (albeit weak) filters and execute arbitrary JavaScript in the user's browser context. The vulnerability stems from the lack of systematic filtering of output, allowing malicious input to become part of the rendered webpage.
What is the Impact of CVE-2021-29489?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, hijack user sessions, deface web pages, or redirect users to malicious sites.
What is the Exploitability of CVE-2021-29489?
Exploitation complexity varies from low to moderate, depending on the specific attack vector. It requires an attacker to inject untrusted content into the chart options, which is then processed and rendered by Highcharts in a user's browser. No authentication is strictly required if the application processes untrusted input in an unauthenticated context (e.g., public forms). This is typically a remote, client-side attack. Prerequisites include the user visiting a page displaying a Highcharts chart configured with attacker-controlled data. The likelihood of exploitation increases if the application integrates Highcharts with user-generated or external content without proper server-side or client-side sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29489?
Available Upgrade Options
- highcharts
- <9.0.0 → Upgrade to 9.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-8j65-4pcq-xq95
- https://www.npmjs.com/package/highcharts
- https://nvd.nist.gov/vuln/detail/CVE-2021-29489
- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95
- https://github.com/highcharts/highcharts
- https://security.netapp.com/advisory/ntap-20210622-0005/
- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95
- https://security.netapp.com/advisory/ntap-20210622-0005
What are Similar Vulnerabilities to CVE-2021-29489?
Similar Vulnerabilities: CVE-2021-23841 , CVE-2021-21272 , CVE-2021-22904 , CVE-2021-23336 , CVE-2021-21315
