CVSS: 7.6EPSS: 0%CPEs: 5EXPL: 0CVE-2021-29489 – Options structure open to XSS if passed unfiltered
https://notcve.org/view.php?id=CVE-2021-29489
05 May 2021 — Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup. • https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 2CVE-2018-20801
https://notcve.org/view.php?id=CVE-2018-20801
14 Mar 2019 — In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS. En js/parts/SvgRenderer.js en Highcharts JS, en versiones anteriores a la 6.1.0, el uso de expresiones regulares de backtracking permitía que un atacante llevase a cabo un ataque de denegación de servicio contra el componente SVGRenderer, también conocido como ReDoS. • https://github.com/ossf-cve-benchmark/CVE-2018-20801 • CWE-185: Incorrect Regular Expression •