CVE-2017-16022

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-16022
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16022.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-16022
Aliases
Published
2018-06-04T19:29:01.350Z
Modified
2026-03-14T09:22:25.232679Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.

References

Affected packages

Git / github.com/morrisjs/morris.js

Affected ranges

Type
GIT
Repo
https://github.com/morrisjs/morris.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d31c072942bc5bf3f02247737c01b5219a35464c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.5.0"
        }
    ]
}

Affected versions

0.*
0.2.1
0.2.10
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.3.1
0.3.2
0.3.3
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16022.json"