Vega and Vega-Selections Cross-Site Scripting Vulnerability via vlSelectionTuples Function

A cross-site scripting vulnerability has been identified in Vega versions prior to 5.26.0 and in Vega-Selections versions prior to 5.4.2. The issue arises in the vlSelectionTuples function, which can be manipulated to execute arbitrary JavaScript. This is achieved by passing an attacker-controlled argument that is then used to call the Function constructor. The exploited JavaScript can be executed immediately or later through another vlSelectionTuples call or by coercing the result to a string or a number.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use a version of Vega prior to 5.26.0 and Vega-Selections prior to 5.4.2. Call the vlSelectionTuples function with a datum containing the JavaScript code to be executed, and a fields array that includes a getter function. The injected code will be executed in the user's browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Vega version 5.26.0 and Vega-Selections version 5.4.2 to address this vulnerability.