Fallingpineapples

Name of the Vulnerable Software and Affected Versions: vega versions prior to 5.26.0 vega-selections versions prior to 5.4.2 Description: The `vlSelectionTuples` function can be used to call JavaScript functions, leading to cross-site scripting. This function calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. Recommendations: For vega versions prior to 5.26.0, update to version 5.26.0 or later to fix the issue. For vega-selections versions prior to 5.4.2, update to version 5.4.2 or later to fix the issue. As a temporary workaround, consider disabling the `vlSelectionTuples` function until a patch is available.