This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.
{
"cpe": "cpe:2.3:a:visjs:vis-timeline:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "7.4.4"
}
],
"source": "CPE_RANGE"
}