CVE-2017-16022

Description

Affected versions of `morris.js` are vulnerable to cross-site scripting attacks in labels that appear when hovering over a particular point on a generated graph. The text content of these labels is not escaped, so if control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded. ## Recommendation A patch for this vulnerability was created in 2014, but has still not been published to npm. In order to mitigate this issue effectively, install the library from github via: ``` npm i morrisjs/morris.js -s ```

How to fix CVE-2017-16022

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2017-16022 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

References (4)

• ADVISORYgithub.com/advisories/GHSA-fwx5-5fqj-jv98
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16022
• WEBgithub.com/morrisjs/morris.js/pull/464
• WEBwww.npmjs.com/advisories/307