CVE-2016-1000240 — Cross-Site Scripting in c3

Description

Affected versions of `c3` are vulnerable to cross-site scripting via improper sanitization of HTML in rendered tooltips. ## Recommendation Update to 0.4.11 or later.

How to fix CVE-2016-1000240

To remediate CVE-2016-1000240, upgrade the affected package to a fixed version below.

npm/c3—upgrade to 0.4.11 or later

Is CVE-2016-1000240 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2016-1000240.

Affected packages (1)

npm/c3from 0, < 0.4.11

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-1000240
PATCHgithub.com/c3js/c3
WEBgithub.com/c3js/c3/commit/de3864650300488a63d0541620e9828b00e94b42
WEBgithub.com/c3js/c3/issues/1536
WEBgithub.com