CVE-2020-28487

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-28487

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28487.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-28487

Aliases

GHSA-9mrv-456v-pf22

Related

SNYK-JAVA-ORGWEBJARSBOWERGITHUBVISJS-1063502
SNYK-JAVA-ORGWEBJARSNPM-1063501
SNYK-JS-VISTIMELINE-1063500

Published

2021-01-22T18:15:12.517Z

Modified

2026-03-15T22:36:08.529061Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L CVSS Calculator

Summary

[none]

Details

This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.

References

Affected packages

Git / github.com/visjs/vis-timeline

Affected ranges

Type

GIT

Repo

https://github.com/visjs/vis-timeline

Events

Introduced

Fixed

a7ca349c7b3b6080efd05776ac77bb27176d4d3f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.4.4"
        }
    ]
}

Affected versions

v5.*

v5.0.0

v5.1.0

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.1.0

v6.1.1

v6.2.0

v6.2.1

v6.2.10

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v6.5.0

v6.5.1

v6.5.2

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.2.0

v7.2.1

v7.3.0

v7.3.1

v7.3.10

v7.3.11

v7.3.12

v7.3.2

v7.3.3

v7.3.4

v7.3.5

v7.3.6

v7.3.7

v7.3.8

v7.3.9

v7.4.0

v7.4.1

v7.4.2

v7.4.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28487.json"