Upgrade Highcharts - Cross Site Scripting vuln

Question

Upgrade Highcharts - Cross Site Scripting vuln

rjensen-r7 opened this issue 4 years ago · comments

Highcharts dependency needs to be upgraded to >= 8.1.1.

https://www.npmjs.com/advisories/1227
Overview
Versions of highcharts prior to 8.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize href values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.

Remediation
Upgrade to version 8.1.1 or later.

Laurette Siler · Answer 1 · Tue Jun 16 2020 22:25:06 GMT+0800 (China Standard Time)

is anyone working on resolving this? @kirjs

Piyal Darshana · Answer 2 · Thu Aug 27 2020 17:48:53 GMT+0800 (China Standard Time)

I'm also getting the same problem even for the latest version

Version installed:
"highcharts": "^8.2.0",
"react-highcharts": "^16.1.0",

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.2.2 <8.0.0 || >=8.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-highcharts > highcharts │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1227 │
└───────────────┴──────────────────────────────────────────────────────────────┘

Hope this will get fix sooner. 👍

Maarten Brouwers · Answer 3 · Wed Oct 21 2020 16:05:28 GMT+0800 (China Standard Time)

There is an official HighchartsReact wrapper now, which might be the path forward: https://github.com/highcharts/highcharts-react