Cross-site Scripting (XSS)

Affecting morris.js package, versions <=0.5.0

medium severity

Overview

morris.js is a very simple API for drawing line, bar, area and donut charts. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. The row label is concatenated without filter and could contain any value.

Remediation

There is no fix version for morris.js. A pull request with a fix has been merged on GitHub, but not published to npm.

References

Credit
Jelte Fennema
CWE
CWE-79
Snyk ID
npm:morris.js:20140717
Disclosed
17 Jul, 2014
Published
16 Apr, 2017

Do your applications use this vulnerable package?