CVE-2020-15092

Name of the Vulnerable Software and Affected Versions TimelineJS versions prior to 3.7.0 knight-lab-timelinejs plugin versions prior to 3.7.0.0

Description The issue allows an attacker to implement an XSS exploit with maliciously crafted content in several data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Users are exposed to this vulnerability if they grant write access to the document to a malicious inside attacker, if the access of a trusted user is compromised, or if they grant public write access to the document. The vulnerability is addressed in version 3.7.0 of TimelineJS, which sanitizes content intended to support limited HTML markup and strips all markup from content intended for simple text display.

Recommendations For TimelineJS versions prior to 3.7.0, update to version 3.7.0 or later to address the issue. For knight-lab-timelinejs plugin versions prior to 3.7.0.0, update the plugin to version 3.7.0.0 or later. As a temporary workaround, consider restricting write access to the Google Sheet or JSON file that serves as the data source to prevent exploitation.