mend-for-github-com[bot]
commented
10 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Easy, pretty charts
Library home page: https://cdnjs.cloudflare.com/ajax/libs/morris.js/0.4.3/morris.min.js
Path to vulnerable library: /app/assets/vendor/chart/morris-0.4.3.min.js
Found in HEAD commit: 7ec8f81fd91368c60347148b536e1a8340818b82
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-16022
### Vulnerable Library - morris-0.4.3.min.jsEasy, pretty charts
Library home page: https://cdnjs.cloudflare.com/ajax/libs/morris.js/0.4.3/morris.min.js
Path to vulnerable library: /app/assets/vendor/chart/morris-0.4.3.min.js
Dependency Hierarchy: - :x: **morris-0.4.3.min.js** (Vulnerable Library)
Found in HEAD commit: 7ec8f81fd91368c60347148b536e1a8340818b82
Found in base branch: main
### Vulnerability DetailsMorris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.
Publish Date: 2018-06-04
URL: CVE-2017-16022
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16022
Release Date: 2018-06-04
Fix Resolution: 0.5.1