Vulnerability Name:

CVE-2021-29489 (CCN-201299)

Assigned:2021-05-05
Published:2021-05-05
Updated:2022-06-04
Summary:Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.
CVSS v3 Severity:5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2021-29489

Source: XF
Type: UNKNOWN
highcharts-cve202129489-xss(201299)

Source: CCN
Type: Highcharts JS GIT Repository
Options structure open to XSS if passed unfiltered

Source: CONFIRM
Type: Third Party Advisory
https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210622-0005/

Source: CCN
Type: IBM Security Bulletin 6610741 (QRadar User Behavior Analytics)
Multiple vulnerabilities in Jquery-Ui, highcharts, and datatables are affecting QRadar User Behavior Analytics (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2021-23445, CVE-2021-29489)

Source: CCN
Type: IBM Security Bulletin 6999327 (Qradar Advisor)
IBM QRadar Advisor With Watson App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: NPM Web site
highcharts

Vulnerable Configuration:Configuration 1:
  • cpe:/a:highcharts:highcharts:*:*:*:*:*:*:*:* (Version < 9.0.0)

    • Configuration 2:
  • cpe:/a:netapp:cloud_backup:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    highcharts highcharts *
    netapp cloud backup -
    netapp snapcenter -
    netapp oncommand workflow automation -
    netapp oncommand insight -