Description
Affected versions of plotly.js are vulnerable to cross-site scripting if an attacker can convince a user to visit a malicious plot on a site using this package.
Recommendation
Update the plotly.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.16.0
- Patched version(s): 1.16.0
References
- GHSA-2fqv-h3r5-m4vf
- acloudtree.com
- www.npmjs.com
- help.plot.ly
- CVE-2017-1000006
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload - CVE-2022-25854
- Cross-site Scripting (XSS) - Stored in crud-file-server - CVE-2018-3726
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- Tags:
- npm
- plotly.js
Anything's wrong? Let us know Last updated on January 09, 2023