Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55)

Severity:: Medium

Description

Vega’s lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it’s not enforced.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

Affected version(s): < 5.23.0
Patched version(s): 5.23.0

References

GHSA-w5m3-xh75-mp55
CVE-2023-26487
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Vega has Cross-site Scripting vulnerability in `lassoAppend` function - CVE-2023-26487
Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4) - CVE-2023-26486
vue-i18n has cross-site scripting vulnerability with prototype pollution (GHSA-9r9m-ffp6-9x4v) 4 - CVE-2024-52809
vue-i18n has cross-site scripting vulnerability with prototype pollution (GHSA-9r9m-ffp6-9x4v) - CVE-2024-52809

Tags:: npm; vega

Anything's wrong? Let us know Last updated on March 13, 2023