Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-16022

UNKNOWN
Published 2018-06-04T19:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-16022. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

Morris.js node module

Affected Versions:

<=0.5.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Cross-Site Scripting in morris.js

GHSA-fwx5-5fqj-jv98

Advisory Details

Affected versions of `morris.js` are vulnerable to cross-site scripting attacks in labels that appear when hovering over a particular point on a generated graph. The text content of these labels is not escaped, so if control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded. ## Recommendation A patch for this vulnerability was created in 2014, but has still not been published to npm. In order to mitigate this issue effectively, install the library from github via: ``` npm i morrisjs/morris.js -s ```

Affected Packages

npm morris.js

CVSS Scoring

CVSS Score

5.0

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-16022
WEB https://github.com/morrisjs/morris.js/pull/464
ADVISORY https://github.com/advisories/GHSA-fwx5-5fqj-jv98
WEB https://www.npmjs.com/advisories/307

Advisory provided by GitHub Security Advisory Database. Published: November 9, 2018, Modified: August 31, 2020

References

https://nodesecurity.io/advisories/307
https://github.com/morrisjs/morris.js/pull/464
Published: 2018-06-04T19:00:00Z
Last Modified: 2024-09-16T21:08:55.440Z
Copied to clipboard!