CVE-2021-29489: Options structure open to Cross-site Scripting if passed unfiltered
7.6
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30842%
CWE
Published
5/6/2021
Updated
1/29/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
highcharts | npm | < 9.0.0 | 9.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsanitized processing of the options structure. Key indicators are: 1) The 'useHTML' flag's direct DOM insertion path 2) Character replacement tricks implying text node injection vectors 3) The systemic lack of AST-based filtering pre-v9. The rendering layer's TextBuilder
and core chart initialization would handle these untrusted inputs. While exact function
names aren't explicitly listed in advisories, Highcharts
' architecture and vulnerability patterns indicate these components as primary XSS injection points.