Vulnerability-Lookup

CVE-2021-29489 (GCVE-0-2021-29489)

Vulnerability from cvelistv5 – Published: 2021-05-05 15:30 – Updated: 2024-08-03 22:11

Title

Options structure open to XSS if passed unfiltered

Summary

Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

Severity ?

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE

CWE-79 - Cross-site Scripting (XSS)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/highcharts/highcharts/security…	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-2021062…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	highcharts	highcharts	Affected: < 9.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:11:05.477Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210622-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "highcharts",
          "vendor": "highcharts",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-22T08:06:34.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210622-0005/"
        }
      ],
      "source": {
        "advisory": "GHSA-8j65-4pcq-xq95",
        "discovery": "UNKNOWN"
      },
      "title": "Options structure open to XSS if passed unfiltered",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29489",
          "STATE": "PUBLIC",
          "TITLE": "Options structure open to XSS if passed unfiltered"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "highcharts",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 9.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "highcharts"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95",
              "refsource": "CONFIRM",
              "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210622-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210622-0005/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-8j65-4pcq-xq95",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29489",
    "datePublished": "2021-05-05T15:30:18.000Z",
    "dateReserved": "2021-03-30T00:00:00.000Z",
    "dateUpdated": "2024-08-03T22:11:05.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CNVD-2021-36222

Vulnerability from cnvd - Published: 2021-05-21

Title

Highcharts JS跨站脚本漏洞

Description

Highcharts JS是一款基于SVG的JavaScript图表框架。DOMPurify是一款使用JavaScript编写的，用于HTML、MathML和SVG的DOM（文档对象模型）。 Highcharts JS 存在跨站脚本漏洞，攻击者可利用该漏洞在浏览器中执行代码。

Severity

低

Patch Name

Highcharts JS跨站脚本漏洞的补丁

Patch Description

Highcharts JS是一款基于SVG的JavaScript图表框架。DOMPurify是一款使用JavaScript编写的，用于HTML、MathML和SVG的DOM（文档对象模型）。 Highcharts JS 存在跨站脚本漏洞，攻击者可利用该漏洞在浏览器中执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-29489

Impacted products

Name
Highcharts JS Highcharts JS <9.0.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-29489"
    }
  },
  "description": "Highcharts JS\u662f\u4e00\u6b3e\u57fa\u4e8eSVG\u7684JavaScript\u56fe\u8868\u6846\u67b6\u3002DOMPurify\u662f\u4e00\u6b3e\u4f7f\u7528JavaScript\u7f16\u5199\u7684\uff0c\u7528\u4e8eHTML\u3001MathML\u548cSVG\u7684DOM\uff08\u6587\u6863\u5bf9\u8c61\u6a21\u578b\uff09\u3002\n\nHighcharts JS \u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-36222",
  "openTime": "2021-05-21",
  "patchDescription": "Highcharts JS\u662f\u4e00\u6b3e\u57fa\u4e8eSVG\u7684JavaScript\u56fe\u8868\u6846\u67b6\u3002DOMPurify\u662f\u4e00\u6b3e\u4f7f\u7528JavaScript\u7f16\u5199\u7684\uff0c\u7528\u4e8eHTML\u3001MathML\u548cSVG\u7684DOM\uff08\u6587\u6863\u5bf9\u8c61\u6a21\u578b\uff09\u3002\r\n\r\nHighcharts JS \u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4ee3\u7801\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Highcharts JS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Highcharts JS Highcharts JS \u003c9.0.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-29489",
  "serverity": "\u4f4e",
  "submitTime": "2021-05-07",
  "title": "Highcharts JS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

GHSA-8J65-4PCQ-XQ95

Vulnerability from github – Published: 2021-05-06 15:45 – Updated: 2022-06-06 18:17

Summary

Options structure open to Cross-site Scripting if passed unfiltered

Details

Impact

In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.

If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.

Patches

In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.

Workarounds

Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

References

Details on the improved Highcharts security
The AST and TextBuilder refactoring
The fix for prototype pollution

For more information

If you have any questions or comments about this advisory: * Visit our support page * For more Email us at security@highcharts.com

Severity ?

7.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "highcharts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T15:37:11Z",
    "nvd_published_at": "2021-05-05T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. Especially when using the `useHTML` flag, HTML string options would be inserted unfiltered directly into the DOM. When `useHTML` was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.\n\nIf your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.\n\n### Patches\nIn version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.\n\n### Workarounds\nImplementers who are not able to upgrade may apply [DOMPurify](https://github.com/cure53/DOMPurify) recursively [to the options structure](https://jsfiddle.net/highcharts/zd3wcm5L/) to filter out malicious markup.\n\n### References\n* Details on the improved [Highcharts security](https://www.highcharts.com/docs/chart-concepts/security)\n* [The AST and TextBuilder refactoring](https://github.com/highcharts/highcharts/pull/14913)\n* [The fix for prototype pollution](https://github.com/highcharts/highcharts/pull/14884)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Visit our [support page](https://www.highcharts.com/blog/support/)\n* For more Email us at [security@highcharts.com](mailto:security@highcharts.com)\n",
  "id": "GHSA-8j65-4pcq-xq95",
  "modified": "2022-06-06T18:17:02Z",
  "published": "2021-05-06T15:45:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29489"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/highcharts/highcharts"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210622-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/highcharts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Options structure open to Cross-site Scripting if passed unfiltered"
}

CERTFR-2023-AVI-0427

Vulnerability from certfr_avis - Published: 2023-06-01 - Updated: 2023-06-01

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	QRadar	IBM Qradar Advisor versions 2.5 à 2.6.4 antérieures à 2.6.5
IBM	QRadar	IBM QRadar Pulse App versions 1.x.x à 2.2.9 antérieures à 2.2.10
IBM	AIX	AIX version 7.3 TL1 antérieures à 7.3.1 avec le correctif de sécurité 32221a.230524.epkg.Z
IBM	QRadar SIEM	IBM Qradar SIEM versions 7.5.0 antérieures à 7.5.0 UP5
IBM	WebSphere	IBM WebSphere Application Server Liberty versions 17.0.0.3 à 23.0.0.5 antérieures à 23.0.0.6
IBM	QRadar WinCollect Agent	IBM QRadar WinCollect Agent versions 10.x.x antérieures à 10.1.4
IBM	N/A	IBM Spectrum Protect Plus Db2 Agent versions 10.1.1x antérieures à 10.1.14
IBM	Spectrum	IBM Spectrum Protect Plus MongoDB Agent versions 10.1.x antérieures à 10.1.14
IBM	QRadar SIEM	IBM Qradar SIEM versions 7.4.3 antérieures à 7.4.3 FP9

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6999681 du 31 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6999285 du 30 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6998763 du 26 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6999343 du 30 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6999327 du 30 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6999331 du 30 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6999619 du 31 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6999287 du 30 mai 2023	None	vendor-advisory
Bulletin de sécurité IBM 6999341 du 30 mai 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Qradar Advisor versions 2.5 \u00e0 2.6.4 ant\u00e9rieures \u00e0 2.6.5",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar Pulse App versions 1.x.x \u00e0 2.2.9 ant\u00e9rieures \u00e0 2.2.10",
      "product": {
        "name": "QRadar",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "AIX version 7.3 TL1 ant\u00e9rieures \u00e0 7.3.1 avec le correctif de s\u00e9curit\u00e9 32221a.230524.epkg.Z",
      "product": {
        "name": "AIX",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Qradar SIEM versions 7.5.0 ant\u00e9rieures \u00e0 7.5.0 UP5",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM WebSphere Application Server Liberty versions 17.0.0.3 \u00e0 23.0.0.5 ant\u00e9rieures \u00e0 23.0.0.6",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM QRadar WinCollect Agent versions 10.x.x ant\u00e9rieures \u00e0 10.1.4",
      "product": {
        "name": "QRadar WinCollect Agent",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Spectrum Protect Plus Db2 Agent versions 10.1.1x ant\u00e9rieures \u00e0 10.1.14",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Spectrum Protect Plus MongoDB Agent versions 10.1.x ant\u00e9rieures \u00e0 10.1.14",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Qradar SIEM versions 7.4.3 ant\u00e9rieures \u00e0 7.4.3 FP9",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-28867",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28867"
    },
    {
      "name": "CVE-2023-25577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25577"
    },
    {
      "name": "CVE-2023-27555",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27555"
    },
    {
      "name": "CVE-2022-31676",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31676"
    },
    {
      "name": "CVE-2023-23934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23934"
    },
    {
      "name": "CVE-2020-10735",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10735"
    },
    {
      "name": "CVE-2022-35977",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-35977"
    },
    {
      "name": "CVE-2022-40897",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
    },
    {
      "name": "CVE-2018-20801",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-20801"
    },
    {
      "name": "CVE-2022-43441",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-43441"
    },
    {
      "name": "CVE-2022-3786",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3786"
    },
    {
      "name": "CVE-2023-26278",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26278"
    },
    {
      "name": "CVE-2022-24999",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
    },
    {
      "name": "CVE-2022-32221",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-32221"
    },
    {
      "name": "CVE-2023-26277",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26277"
    },
    {
      "name": "CVE-2023-22458",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22458"
    },
    {
      "name": "CVE-2022-25901",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25901"
    },
    {
      "name": "CVE-2022-25881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
    },
    {
      "name": "CVE-2022-24736",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24736"
    },
    {
      "name": "CVE-2023-24329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-24329"
    },
    {
      "name": "CVE-2022-3602",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-3602"
    },
    {
      "name": "CVE-2021-29489",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29489"
    }
  ],
  "initial_release_date": "2023-06-01T00:00:00",
  "last_revision_date": "2023-06-01T00:00:00",
  "links": [],
  "reference": "CERTFR-2023-AVI-0427",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-06-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits \u003cspan\nclass=\"textit\"\u003eIBM\u003c/span\u003e. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un\nd\u00e9ni de service \u00e0 distance et un contournement de la politique de\ns\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999681 du 31 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999681"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999285 du 30 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999285"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6998763 du 26 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6998763"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999343 du 30 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999343"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999327 du 30 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999327"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999331 du 30 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999331"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999619 du 31 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999619"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999287 du 30 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999287"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6999341 du 30 mai 2023",
      "url": "https://www.ibm.com/support/pages/node/6999341"
    }
  ]
}

CERTFR-2022-AVI-712

Vulnerability from certfr_avis - Published: 2022-08-08 - Updated: 2022-08-08

De multiples vulnérabilités ont été découvertes dans IBM QRadar SIEM. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	QRadar SIEM	IBM QRadar User Behavior Analytics versions antérieures à 4.1.8

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6610741 du 05 août 2022	None	vendor-advisory
Bulletin de sécurité IBM 6610729 du 05 août 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM QRadar User Behavior Analytics versions ant\u00e9rieures \u00e0 4.1.8",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-41182",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41182"
    },
    {
      "name": "CVE-2021-4104",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104"
    },
    {
      "name": "CVE-2021-23445",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23445"
    },
    {
      "name": "CVE-2021-41184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41184"
    },
    {
      "name": "CVE-2021-41183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41183"
    },
    {
      "name": "CVE-2021-29489",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29489"
    }
  ],
  "initial_release_date": "2022-08-08T00:00:00",
  "last_revision_date": "2022-08-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-712",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-08-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar SIEM.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar SIEM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6610741 du 05 ao\u00fbt 2022",
      "url": "https://www.ibm.com/support/pages/node/6610741"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6610729 du 05 ao\u00fbt 2022",
      "url": "https://www.ibm.com/support/pages/node/6610729"
    }
  ]
}

GSD-2021-29489

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-29489

Aliases

CVE-2021-29489

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-29489",
    "description": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.",
    "id": "GSD-2021-29489"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-29489"
      ],
      "details": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.",
      "id": "GSD-2021-29489",
      "modified": "2023-12-13T01:23:36.905431Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-29489",
        "STATE": "PUBLIC",
        "TITLE": "Options structure open to XSS if passed unfiltered"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "highcharts",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 9.0.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "highcharts"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79 Cross-site Scripting (XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95",
            "refsource": "CONFIRM",
            "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210622-0005/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210622-0005/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-8j65-4pcq-xq95",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c9.0.0",
          "affected_versions": "All versions before 9.0.0",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-06-04",
          "description": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.",
          "fixed_versions": [
            "9.0.0"
          ],
          "identifier": "CVE-2021-29489",
          "identifiers": [
            "CVE-2021-29489",
            "GHSA-8j65-4pcq-xq95"
          ],
          "not_impacted": "All versions starting from 9.0.0",
          "package_slug": "npm/highcharts",
          "pubdate": "2021-05-05",
          "solution": "Upgrade to version 9.0.0 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29489"
          ],
          "uuid": "f4638e23-3030-4ea1-9bb8-ab0b285a5cb8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:highcharts:highcharts:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29489"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210622-0005/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210622-0005/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-06-04T01:45Z",
      "publishedDate": "2021-05-05T16:15Z"
    }
  }
}

FKIE_CVE-2021-29489

Vulnerability from fkie_nvd - Published: 2021-05-05 16:15 - Updated: 2024-11-21 06:01

Severity ?

7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95	Third Party Advisory
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20210622-0005/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210622-0005/	Third Party Advisory

Impacted products

Vendor	Product	Version
highcharts	highcharts	*
netapp	cloud_backup	-
netapp	oncommand_insight	-
netapp	oncommand_workflow_automation	-
netapp	snapcenter	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:highcharts:highcharts:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "07FC10C8-AE4A-442B-B2C1-823AC711BF23",
              "versionEndExcluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user\u0027s browser. The vulnerability is patched in version 9. As a workaround, implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup."
    },
    {
      "lang": "es",
      "value": "Highcharts JS es una biblioteca de gr\u00e1ficos de JavaScript basada en SVG.\u0026#xa0;En Highcharts versiones 8 y anteriores, la estructura de opciones de gr\u00e1ficos no se filtraba sistem\u00e1ticamente para vectores de tipo XSS.\u0026#xa0;El impacto potencial fue que el contenido de fuentes no confiables podr\u00eda ejecutar c\u00f3digo en el navegador del usuario final.\u0026#xa0;La vulnerabilidad est\u00e1 parcheada en versi\u00f3n 9. Como soluci\u00f3n alternativa, los implementadores que no son capaces de actualizar pueden aplicar DOMPurify de forma recursiva a la estructura de opciones para filtrar el marcado malicioso"
    }
  ],
  "id": "CVE-2021-29489",
  "lastModified": "2024-11-21T06:01:14.670",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-05T16:15:08.023",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210622-0005/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210622-0005/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-29489 (GCVE-0-2021-29489)

CNVD-2021-36222

GHSA-8J65-4PCQ-XQ95

Impact

Patches

Workarounds

References

For more information

CERTFR-2023-AVI-0427

Solution

CERTFR-2022-AVI-712

Solution

GSD-2021-29489

FKIE_CVE-2021-29489

Tags

Sightings

Nomenclature