Torstein Honsi

Name of the Vulnerable Software and Affected Versions: Highcharts versions 8 and earlier Description: Highcharts JS is a JavaScript charting library based on SVG. In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the `useHTML` flag, HTML string options would be inserted unfiltered directly into the DOM. When `useHTML` was false, malicious code could be inserted by using various character replacement tricks or malformed HTML. Recommendations: For Highcharts versions 8 and earlier, as a temporary workaround, consider applying DOMPurify recursively to the options structure to filter out malicious markup. For a permanent fix, upgrade to Highcharts version 9, which includes a refactored rendering layer using an DOMParser, an AST, and tag and HTML allow-listing to ensure only safe content enters the DOM.