CVE-2017-16022

Vulnerability

The JavaScript library Morris.js is vulnerable to a cross-site scripting (XSS) flaw in the hover labels of SVG graphs. The library does not escape the text content of labels that appear when a user hovers over a data point. Versions 0.5.0 and earlier are affected [1][2][3].

Exploitation

An attacker who can control the label text of a graph can inject arbitrary HTML or JavaScript. When a victim loads the page containing the affected graph and hovers over a point, the injected script executes in the context of the victim's browser session. No special network position or authentication is required beyond the ability to provide the label content [2][3].

Impact

Successful exploitation leads to client-side script execution (stored XSS). This can result in session hijacking, sensitive data exfiltration, or arbitrary actions performed as the authenticated user. The privilege level is that of the victim's browser context [2][3].

Mitigation

A fix was submitted as a pull request in 2014 but has not been published to npm. As a workaround, install the library directly from the GitHub repository via npm i morrisjs/morris.js -s to obtain the patched version. No versioned npm release with the fix exists [1][3].