Morris.js is vulnerable to cross-site scripting (XSS) attacks. These attacks are possible through the hovering label names. These labels aren’t escaped so if these labels are attacker controlled, malicious script can be executed client side each time a graph is loaded.