CSS Injection

Affecting plotly.js package, versions <1.16.0

Do your applications use this vulnerable package? Test your applications

Overview

plotly.js is a high-level, declarative charting library.

Affected versions of the package allowed the style attribute to be manipulated in the tag inside the embedded svg making them vulnerable to a css injection which allowed for tracking images to be embedded and leak information to an external domain.

Details

For more information, see Jared's post explaining the issue very well.

Remediation

Upgrade to plotly.js version 1.16.0 or newer.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:H
Credit
Jared Folkins
CWE
CWE-74
Snyk ID
npm:plotly.js:20160808-1
Disclosed
09 Aug, 2016
Published
17 Oct, 2016