Neat Paraskavedekatriaphobia's Meaning


Severity: moderate

Cross-Site Scripting



Affected versions of morris.js are vulnerable to cross-site scripting attacks in labels that appear when hovering over a particular point on a generated graph. The text content of these labels is not escaped, so if control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.


A patch for this vulnerability was created in 2014, but has still not been published to npm. In order to mitigate this issue effectively, install the library from github via:

npm i morrisjs/morris.js -s


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 14th, 2017
  2. reported

    Initial report by JelteF
    Jan 24th, 2017