Skip to content

Cross-Site Scripting in morris.js

Moderate severity GitHub Reviewed Published Nov 9, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm morris.js (npm)

Affected versions

= 0.5.0

Patched versions

None

Description

Affected versions of morris.js are vulnerable to cross-site scripting attacks in labels that appear when hovering over a particular point on a generated graph. The text content of these labels is not escaped, so if control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.

Recommendation

A patch for this vulnerability was created in 2014, but has still not been published to npm. In order to mitigate this issue effectively, install the library from github via:

npm i morrisjs/morris.js -s

References

Published to the GitHub Advisory Database Nov 9, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(32nd percentile)

Weaknesses

CVE ID

CVE-2017-16022

GHSA ID

GHSA-fwx5-5fqj-jv98

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.