{"id":"CVE-2020-28487","details":"This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.","aliases":["GHSA-9mrv-456v-pf22"],"modified":"2026-04-11T23:13:04.888608Z","published":"2021-01-22T18:15:12.517Z","related":["SNYK-JAVA-ORGWEBJARSBOWERGITHUBVISJS-1063502","SNYK-JAVA-ORGWEBJARSNPM-1063501","SNYK-JS-VISTIMELINE-1063500"],"references":[{"type":"REPORT","url":"https://github.com/visjs/vis-timeline/issues/838"},{"type":"FIX","url":"https://github.com/visjs/vis-timeline/pull/840"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVISJS-1063502"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1063501"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JS-VISTIMELINE-1063500"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/visjs/vis-timeline","events":[{"introduced":"0"},{"fixed":"a7ca349c7b3b6080efd05776ac77bb27176d4d3f"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:visjs:vis-timeline:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"fixed":"7.4.4"}]}}],"versions":["v5.0.0","v5.1.0","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.0.4","v6.1.0","v6.1.1","v6.2.0","v6.2.1","v6.2.10","v6.2.2","v6.2.3","v6.2.4","v6.2.5","v6.2.6","v6.2.7","v6.2.8","v6.2.9","v6.3.0","v6.3.1","v6.3.2","v6.3.3","v6.3.4","v6.3.5","v6.4.0","v6.4.1","v6.4.2","v6.4.3","v6.5.0","v6.5.1","v6.5.2","v7.0.0","v7.0.1","v7.0.2","v7.1.0","v7.1.3","v7.2.0","v7.2.1","v7.3.0","v7.3.1","v7.3.10","v7.3.11","v7.3.12","v7.3.2","v7.3.3","v7.3.4","v7.3.5","v7.3.6","v7.3.7","v7.3.8","v7.3.9","v7.4.0","v7.4.1","v7.4.2","v7.4.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28487.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"}]}