Описание
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions 6.1.1. There is no workaround besides upgrading. Using vega.expressionInterpreter as described in CSP safe mode does not prevent this issue.
A flaw was found in vega-functions. For sites that allow users to supply untrusted input, a remote attacker could exploit a vulnerability by maliciously using an internal function. This could lead to the execution of unintentional JavaScript, resulting in Cross-Site Scripting (XSS).
Отчет
This vulnerability is rated Important for Red Hat products such as jupyterlab and snakemake in Fedora and EPEL, and cloud.redhat.com services utilizing vega-functions. The flaw allows for Cross-Site Scripting (XSS) when applications permit untrusted user input to be processed by vega-functions, potentially leading to the execution of unintentional JavaScript.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Дополнительная информация
Статус:
EPSS
7.2 High
CVSS3
Связанные уязвимости
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.
vega-functions provides function implementations for the Vega expressi ...
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function
EPSS
7.2 High
CVSS3