GitHub Advisory DatabaseGHSA-9MRV-456V-PF22Cross-site Scripting in vis-timeline
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS
Percentile
49.9%
This affects the package vis-timeline before 7.4.4.
An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| visjs | vis-timeline | * | cpe:2.3:a:visjs:vis-timeline:*:*:*:*:*:node.js:*:* |
References
github.com/advisories/GHSA-9mrv-456v-pf22
github.com/visjs/vis-timeline/commit/a7ca349c7b3b6080efd05776ac77bb27176d4d3f
github.com/visjs/vis-timeline/issues/838
github.com/visjs/vis-timeline/pull/840
nvd.nist.gov/vuln/detail/CVE-2020-28487
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVISJS-1063502
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1063501
snyk.io/vuln/SNYK-JS-VISTIMELINE-1063500
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
EPSS
Percentile
49.9%