opentok-network-test-js icon indicating copy to clipboard operation
opentok-network-test-js copied to clipboard

Published 20 hours ago verified publisher icon opentok

highcharts-8.2.2.tgz: 1 vulnerabilities (highest severity is: 5.4)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - highcharts-8.2.2.tgz

JavaScript charting framework

Library home page: https://registry.npmjs.org/highcharts/-/highcharts-8.2.2.tgz

Path to dependency file: /sample/package.json

Path to vulnerable library: /sample/node_modules/highcharts/package.json

Found in HEAD commit: 0ac2d408a692a6a2437609518ddd28b4bb712ca3

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-29489 Medium 5.4 highcharts-8.2.2.tgz Direct 9.0.0

Details

CVE-2021-29489

Vulnerable Library - highcharts-8.2.2.tgz

JavaScript charting framework

Library home page: https://registry.npmjs.org/highcharts/-/highcharts-8.2.2.tgz

Path to dependency file: /sample/package.json

Path to vulnerable library: /sample/node_modules/highcharts/package.json

Dependency Hierarchy:

  • :x: highcharts-8.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 0ac2d408a692a6a2437609518ddd28b4bb712ca3

Found in base branch: master

Vulnerability Details

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

Publish Date: 2021-05-05

URL: CVE-2021-29489

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1667

Release Date: 2021-05-05

Fix Resolution: 9.0.0

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] avatar Aug 12 '22 12:08 mend-for-github-com[bot]