Executive Summary

This vulnerability is a cross-site scripting (XSS) issue found in Apache ECharts versions before 6.1.0. It occurs in the Lines series tooltip rendering logic when both Lines series and tooltip are used without a user-specified tooltip.formatter, and series.data[i].name contains raw HTML. In this case, the raw HTML string in series.data[i].name is rendered directly into the tooltip content using innerHTML without proper escaping, which can lead to unexpected script execution when tooltips are displayed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected application by injecting malicious HTML or JavaScript into the series.data[i].name field. When the tooltip displays this data, the malicious script can run, potentially leading to unauthorized actions such as stealing user information, session hijacking, or defacing the user interface.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache ECharts to version 6.1.0 or later.

This upgrade fixes the issue related to the Lines series tooltip rendering logic that could lead to cross-site scripting (XSS).

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a Cross-Site Scripting (XSS) issue in Apache ECharts that allows execution of malicious scripts via tooltip content when certain conditions are met. XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or data manipulation, which may impact compliance with data protection regulations such as GDPR or HIPAA.

Specifically, if an attacker exploits this XSS vulnerability, they could potentially execute scripts that access or exfiltrate personal or sensitive information displayed or processed by the application using Apache ECharts. This could violate principles of data confidentiality and integrity required by standards like GDPR and HIPAA.

Therefore, failure to address this vulnerability by upgrading to version 6.1.0 or later could result in non-compliance with these regulations due to the increased risk of data breaches or unauthorized data exposure.

Mitigation involves upgrading to the fixed version and applying recommended security best practices such as input sanitization and HTML escaping to prevent XSS attacks, aligning with security controls expected by compliance frameworks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the rendering of raw HTML in tooltip content within Apache ECharts Lines series when no custom tooltip.formatter is provided. Detection typically involves inspecting the usage of Apache ECharts in your environment, especially versions prior to 6.1.0, and checking if Lines series tooltips are used without a user-defined formatter.

Since the vulnerability is related to client-side rendering and script execution, network-based detection commands are not directly applicable. Instead, detection can be performed by reviewing the JavaScript code or web application source to identify if vulnerable versions of Apache ECharts are used and if the Lines series tooltip is configured without a custom formatter.

You can also test for the vulnerability by injecting HTML or JavaScript payloads into the series.data[i].name field and observing if the tooltip renders and executes the injected code. A manual test case similar to the one added in the fix (test/tooltip-xss.html) can be used for this purpose.

• Check the version of Apache ECharts used in your application (should be 6.1.0 or later to be safe).
• Review your chart configuration for Lines series and tooltip usage without a custom tooltip.formatter.
• Inject test payloads into series.data[i].name to see if they execute in tooltips.

No specific command-line tools or network commands are provided in the available resources for automated detection.

Useful 0 Not Useful 0