CVE-2020-26296

{"id": "CVE-2020-26296", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2020-12-30T23:15:15.233", "references": [{"url": "https://github.com/vega/vega/issues/3018", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vega/vega/pull/3019", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vega/vega/releases/tag/v5.17.3", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vega/vega/security/advisories/GHSA-r2qc-w64x-6j54", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/vega", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vega/vega/issues/3018", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/vega/vega/pull/3019", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/vega/vega/releases/tag/v5.17.3", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/vega/vega/security/advisories/GHSA-r2qc-w64x-6j54", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.npmjs.com/package/vega", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3"}, {"lang": "es", "value": "Vega es una gram\u00e1tica de visualizaci\u00f3n, un formato declarativo para crear, guardar y compartir dise\u00f1os de visualizaci\u00f3n interactivos. Vega en un paquete npm. En Vega versiones anteriores a 5.17.3, se presenta una vulnerabilidad de tipo XSS en las expresiones de Vega. Mediante una expresi\u00f3n Vega especialmente dise\u00f1ada, un atacante podr\u00eda ejecutar javascript arbitrario en la m\u00e1quina de una v\u00edctima. Esto es corregido en la versi\u00f3n 5.17.3"}], "lastModified": "2024-11-21T05:19:47.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vega_project:vega:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7A1B602E-B94B-4BD0-ADF7-2582C27105D2", "versionEndExcluding": "5.17.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}