SCA: security update for @knight-lab/timelinejs (GHSA-2jpm-827p-j44g)

medium Tenable Self-Hosted Container Security Plugin ID 408964

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS
exploit with maliciously crafted content in a number of data fields. This risk is present whether the
source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most TimelineJS
users configure their timeline with a Google Sheets document. Those users are exposed to this
vulnerability if they grant write access to the document to a malicious inside attacker, if the access of
a trusted user is compromised, or if they grant public write access to the document. Some TimelineJS users
configure their timeline with a JSON document. Those users are exposed to this vulnerability if they grant
write access to the document to a malicious inside attacker, if the access of a trusted user is
compromised, or if write access to the system hosting that document is otherwise compromised. Version
3.7.0 of TimelineJS addresses this in two ways. For content which is intended to support limited HTML
markup for styling and linking, that content is "sanitized" before being added to the DOM. For content
intended for simple text display, all markup is stripped. Very few users of TimelineJS actually install
the TimelineJS code on their server. Most users publish a timeline using a URL hosted on systems we
control. The fix for this issue is published to our system such that **those users will automatically
begin using the new code**. The only exception would be users who have deliberately edited the embed URL
to "pin" their timeline to an earlier version of the code. Some users of TimelineJS use it as a part of a
wordpress plugin (knight-lab-timelinejs). Version 3.7.0.0 of that plugin and newer integrate the updated
code. Users are encouraged to update the plugin rather than manually update the embedded version of
TimelineJS. (CVE-2020-15092)

See Also

https://github.com/advisories/GHSA-2jpm-827p-j44g

Plugin Details

Severity: Medium

ID: 408964

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.69

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-15092

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/9/2020

Vulnerability Publication Date: 7/9/2020

Reference Information

CVE: CVE-2020-15092

cwe: CWE-79