Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3
References
Link | Resource |
---|---|
https://github.com/vega/vega/issues/3018 | Third Party Advisory |
https://github.com/vega/vega/pull/3019 | Third Party Advisory |
https://github.com/vega/vega/releases/tag/v5.17.3 | Release Notes Third Party Advisory |
https://github.com/vega/vega/security/advisories/GHSA-r2qc-w64x-6j54 | Third Party Advisory |
https://www.npmjs.com/package/vega | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-12-30T23:10:16
Updated: 2020-12-30T23:10:16
Reserved: 2020-10-01T00:00:00
Link: CVE-2020-26296
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-12-30T23:15:15.233
Modified: 2021-01-06T18:06:11.157
Link: CVE-2020-26296
JSON object: View
Redhat Information
No data.
CWE