exploitDog

CVE-2017-16022

Опубликовано: 04 июн. 2018

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.

Ссылки

https://github.com/morrisjs/morris.js/pull/464
Third Party Advisory
https://nodesecurity.io/advisories/307
Third Party Advisory
https://github.com/morrisjs/morris.js/pull/464
Third Party Advisory
https://nodesecurity.io/advisories/307
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:morris.js_project:morris.js:*:*:*:*:*:node.js:*:*

Версия до 0.5.0 (включая)

EPSS

Процентиль: 47%

0.0024

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

CWE-79

Связанные уязвимости

GHSA-fwx5-5fqj-jv98

github

около 7 лет назад

Cross-Site Scripting in morris.js

EPSS

Процентиль: 47%

0.0024

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

CWE-79