Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ3eDUtNWZxai1qdjk4
Cross-Site Scripting in morris.js
Affected versions of morris.js are vulnerable to cross-site scripting attacks in labels that appear when hovering over a particular point on a generated graph. The text content of these labels is not escaped, so if control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.
Recommendation
A patch for this vulnerability was created in 2014, but has still not been published to npm. In order to mitigate this issue effectively, install the library from github via:
npm i morrisjs/morris.js -s
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ3eDUtNWZxai1qdjk4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
Identifiers: GHSA-fwx5-5fqj-jv98, CVE-2017-16022
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16022
- https://github.com/morrisjs/morris.js/pull/464
- https://github.com/advisories/GHSA-fwx5-5fqj-jv98
- https://www.npmjs.com/advisories/307
Blast Radius: 0.0
Affected Packages
npm:morris.js
Dependent packages: 29Dependent repositories: 7,293
Downloads: 78,957 last month
Affected Version Ranges: = 0.5.0
No known fixed version
All affected versions: 0.5.0