CVE-2017-16022

Name of the Vulnerable Software and Affected Versions: morris.js versions 0.5.0 and earlier

Description: The issue concerns morris.js, which generates svg graphs with hover-over labels. These labels are not properly escaped, allowing for script injection if an attacker gains control over the labels. The injected script runs on the client side when the specific graph is loaded.

Recommendations: For versions 0.5.0 and earlier, install the library from github via: npm i morrisjs/morris.js -s As a temporary workaround, consider restricting access to the graph generation feature until the issue is resolved.