Apache ECharts Cross-Site Scripting Vulnerability in Lines Series Tooltip Rendering

A cross-site scripting (XSS) vulnerability has been identified in Apache ECharts, specifically in the Lines series tooltip rendering logic. This issue affects versions prior to 6.1.0. The vulnerability arises when both Lines series and tooltips are used without a user-specified tooltip formatter. If the series data includes raw HTML strings in the name field, these can be rendered as HTML in the tooltip, bypassing the default HTML escaping. This behavior can lead to unexpected script execution when the tooltip is displayed.

Impact

Exploitation of this vulnerability could allow for cross-site scripting, where an attacker could inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a chart using Apache ECharts version prior to 6.1.0. Include a Lines series and a tooltip, but do not provide a custom tooltip formatter. Ensure that the series data includes names with raw HTML, such as a script tag. When the tooltip is displayed, the HTML will be rendered without escaping, potentially executing any included scripts.

Remediation

Users are advised to upgrade to Apache ECharts version 6.1.0 or later, which addresses this vulnerability.