Show Sidebar Hide Sidebar

Plotly Security Advisory - XSS in plotly.js

CVE-2017-1000006

Summary of issue

A Cross-Site Scripting (XSS) vulnerability has been fixed in the plotly.js library.

An attacker can trick an unsuspecting user into viewing a specially crafted plot on a site that uses plotly.js (including the cloud version of Plotly). The vulnerability would have allowed the attacker to perform any action using the victim’s credentials on that site.

Thanks to Dennis Detering and Jared Folkins for reporting this issue.

Affected products and versions

Resolution

General notes regarding security reporting

Please send all security reports concerning Plotly security products to security@plot.ly.

Return to the main Plotly Security Advisories page

Still need help?
Contact Us

For guaranteed 24 hour response turnarounds, upgrade to our Premium or Enterprise plans.