{"uuid": "4ea21d98-6f89-46c3-96f2-a0646b0d849e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-W5M3-XH75-MP55", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/5310", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-26487\n\ud83d\udd25 CVSS Score: 6.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)\n\ud83d\udd39 Description: Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0.\n\n\ud83d\udccf Published: 2023-03-03T23:47:28.486Z\n\ud83d\udccf Modified: 2025-02-25T15:01:54.570Z\n\ud83d\udd17 References:\n1. https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55\n2. https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689\n3. https://github.com/vega/vega/releases/tag/v5.23.0", "creation_timestamp": "2025-02-25T15:23:31.000000Z"}