You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vaadin-charts-flow of vaadin-14 uses highcharts.js version 6.1.4 which is vulnerable to to Cross-Site Scripting (XSS).
Currenty getting the below in dependency check
vaadin-charts-6.3.4.jar: highcharts.js (pkg:javascript/highcharts@6.1.4) : Versions of highcharts prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS), CVE-2021-29489
vaadin-charts-6.3.4.jar: highcharts.js (pkg:javascript/highcharts@6.1.4) : Versions of highcharts prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS), CVE-2021-29489
Expected outcome
The vaadin-charts-flow version for vaadin 14 should use the non vulnerable highcharts version 8.2.2
Though as a workaround vaadin-charts-flow version 21.0.9 can be used but the default should use the non vulnerable highcharts version.
We need to check the list of reports for the specified HC version and decide on whether we can cover those without bumping major version.
yuriy-fix
changed the title
Vulnerable Highcharts.js version 6.1.4 in Vaadin 14 vaadin-charts
Vulnerable Highcharts.js version 6.1.4 in Vaadin 14 vaadin-charts [1-2]
Apr 4, 2024
yuriy-fix
changed the title
Vulnerable Highcharts.js version 6.1.4 in Vaadin 14 vaadin-charts [1-2]
Vulnerable Highcharts.js version 6.1.4 in Vaadin 14 vaadin-charts [2 days]
Apr 4, 2024
Found the security report done by Highcharts related to this issue here.
There, they provide a workaround for those who can't upgrade Highcharts version, which is our case, so I will work on a way to apply it to the component.
Description
The vaadin-charts-flow of vaadin-14 uses highcharts.js version 6.1.4 which is vulnerable to to Cross-Site Scripting (XSS).
Currenty getting the below in dependency check
Expected outcome
The vaadin-charts-flow version for vaadin 14 should use the non vulnerable highcharts version 8.2.2
Though as a workaround vaadin-charts-flow version 21.0.9 can be used but the default should use the non vulnerable highcharts version.
Minimal reproducible example
Add the dependency for adding charts
and also the plugin for dependency check
Steps to reproduce
Run
Environment
Vaadin version(s): 14.11.7
Browsers
No response
The text was updated successfully, but these errors were encountered: