#VU36063 Input validation error in highcharts - CVE-2018-20801

Cybersecurity Help s.r.o.

Published: 2019-03-14 | Updated: 2020-08-08

Vulnerability identifier: #VU36063

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-20801

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
highcharts
Web applications / JS libraries

Vendor: highcharts

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.

Mitigation
Install update from vendor's website.

Vulnerable software versions

highcharts: 6.0.0 - 6.0.7

External links
https://github.com/highcharts/highcharts/commit/7c547e1e0f5e4379f94396efd559a566668c0dfa
https://security.netapp.com/advisory/ntap-20190715-0001/
https://snyk.io/vuln/npm:highcharts:20180225

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM QRadar Advisor With Watson App for IBM QRadar SIEM

Multiple vulnerabilities in API Gateway and API Manager

Input validation error in highcharts