CVE-2017-16022
cross-site scripting vulnerability in morris.js (npm)
What is CVE-2017-16022 About?
This vulnerability in `morris.js` allows for cross-site scripting (XSS) attacks in generated graph labels. Unescaped text content in hover labels enables script injection, which executes on the client side when the graph loads. Exploitation is straightforward, requiring control over graph label content.
Affected Software
Technical Details
The vulnerability in morris.js arises because the text content of labels displayed when hovering over points on a generated graph is not properly escaped. If an attacker can control the data that populates these labels (e.g., through user-supplied input that is later graphed), they can inject malicious script code directly into the label's content. When a user's browser renders the graph and the hover label appears, the unescaped script will be executed in the context of the user's browser, leading to a client-side cross-site scripting (XSS) attack.
What is the Impact of CVE-2017-16022?
Successful exploitation may allow attackers to execute arbitrary script code in the victim's browser, leading to session hijacking, defacement, sensitive data exposure, or redirection to malicious sites.
What is the Exploitability of CVE-2017-16022?
Exploitation of this vulnerability is relatively easy, given the attacker can control the data that populates the graph labels. There are no specific authentication or privilege requirements to trigger the vulnerability beyond the ability to provide input that will be graphically represented. The attack is client-side and typically remote, as it relies on a victim user loading a webpage containing the maliciously crafted graph. Special conditions include the user interacting with the graph to trigger the hover labels. The main risk factor is any application that uses morris.js to visualize untrusted or user-controlled data without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16022?
About the Fix from Resolved Security
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/morrisjs/morris.js/pull/464
- https://osv.dev/vulnerability/GHSA-fwx5-5fqj-jv98
- https://nvd.nist.gov/vuln/detail/CVE-2017-16022
- https://github.com/advisories/GHSA-fwx5-5fqj-jv98
- https://github.com/morrisjs/morris.js/pull/464
- https://www.npmjs.com/advisories/307
- https://nodesecurity.io/advisories/307
What are Similar Vulnerabilities to CVE-2017-16022?
Similar Vulnerabilities: CVE-2017-16010 , CVE-2017-16015 , CVE-2018-3728 , CVE-2020-4066 , CVE-2022-24754
