Show Sidebar Hide Sidebar

Plotly Security Advisory - XSS in Chart Studio web interface

Summary of issue

Two separate Cross-Site Scripting (XSS) vulnerabilities have been fixed in the Chart Studio web interface.

  1. By tricking an unsuspecting user into following a specially crafted link to Chart Studio Cloud, an attacker could perform any action any action using the victim’s credentials on that site.

  2. An attacker could trick an unsuspecting user into viewing a specially crafted dashboard on Chart Studio Cloud or a Chart Studio On-Premise server. The vulnerability would have allowed the attacker to perform any action using the victim’s credentials on that site.

Thanks to Nassim Bouali and Mahmoud G. for reporting these issues.

Affected products and versions

Resolution

General notes regarding security reporting

Please send all security reports concerning Plotly products to security@plot.ly.

Return to the main Plotly Security Advisories page

Still need help?
Contact Us

For guaranteed 24 hour response turnarounds, upgrade to our Premium or Enterprise plans.