CVE-2017-16022 in Morris.js
Summary
by MITRE
Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2023
The vulnerability identified as CVE-2017-16022 affects the morris.js JavaScript charting library version 0.5.0 and earlier, presenting a critical client-side cross-site scripting vulnerability that stems from inadequate input sanitization within the library's SVG graph rendering functionality. This flaw specifically manifests when hover labels are displayed over data points in the generated visualizations, creating an attack surface where malicious actors can inject arbitrary JavaScript code through improperly escaped label content. The vulnerability resides in the library's failure to properly sanitize user-provided data that appears in hover tooltips, which are dynamically generated elements within the SVG structure.
The technical implementation of this vulnerability follows a classic XSS pattern where the morris.js library directly incorporates user-supplied data into the SVG DOM without appropriate HTML escaping or sanitization measures. When a user hovers over a data point, the library retrieves label text from the data source and inserts it directly into the SVG element's attributes or text nodes, creating a vector for script injection. This behavior aligns with CWE-79, which describes improper neutralization of input during web page generation, specifically within the context of client-side script execution. The vulnerability operates entirely within the browser environment, requiring no server-side interaction once the malicious payload is embedded in the data structure that populates the chart.
The operational impact of this vulnerability extends beyond simple data manipulation, as it allows attackers to execute arbitrary JavaScript code within the context of the victim's browser session. When a user loads a web page containing the vulnerable morris.js chart, any malicious script embedded in the hover label data will execute automatically, potentially leading to session hijacking, data exfiltration, or redirection to malicious sites. The attack vector is particularly insidious because it can be triggered simply by loading the page, without requiring user interaction beyond the initial page load. This vulnerability can be exploited in scenarios where users have administrative access to data input or where data is sourced from untrusted third-party APIs, making it particularly dangerous in enterprise environments where charting libraries are extensively used.
Mitigation strategies for CVE-2017-16022 require immediate remediation through library version updates to 0.5.1 or later, which address the specific escaping vulnerability in the hover label rendering. Organizations should implement comprehensive input validation and sanitization practices for all data fed into charting libraries, ensuring that any user-provided content undergoes proper HTML escaping before being rendered in visual elements. Security teams should conduct thorough audits of all charting and visualization libraries in use, particularly focusing on those with similar rendering patterns that might be susceptible to similar vulnerabilities. The remediation process should include updating all affected applications and implementing automated testing procedures to verify that data inputs are properly sanitized before being processed by visualization libraries, aligning with ATT&CK technique T1211 for defensive measures against client-side exploitation. Additionally, organizations should consider implementing Content Security Policy headers to limit script execution capabilities and reduce the potential impact of successful XSS attacks.