CVE-2017-16022
Cross-Site Scripting in morris.js
EPSS 0.24%
描述
Affected versions of `morris.js` are vulnerable to cross-site scripting attacks in labels that appear when hovering over a particular point on a generated graph. The text content of these labels is not escaped, so if control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded. ## Recommendation A patch for this vulnerability was created in 2014, but has still not been published to npm. In order to mitigate this issue effectively, install the library from github via: ``` npm i morrisjs/morris.js -s ```
如何修補 CVE-2017-16022
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2017-16022 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。