CVE-2020-15092 – CVE-2020-15092 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2020-15092?

CVE-2020-15092 has a CVSS score of 7.2 (HIGH). CVE-2020-15092 is a cross-site scripting (XSS) vulnerability in TimelineJS that allows attackers to execute malicious JavaScript by injecting HTML into timeline data fields. This affects users who configure timelines via Google Sheets or JSON files, particularly when write access is granted to untrusted parties. Most users automatically receive the fix, but those using pinned versions or the WordPress plugin must update manually.

📋 TL;DR

CVE-2020-15092 is a cross-site scripting (XSS) vulnerability in TimelineJS that allows attackers to execute malicious JavaScript by injecting HTML into timeline data fields. This affects users who configure timelines via Google Sheets or JSON files, particularly when write access is granted to untrusted parties. Most users automatically receive the fix, but those using pinned versions or the WordPress plugin must update manually.

💻 Affected Systems

Products:

TimelineJS
knight-lab-timelinejs WordPress plugin

Versions: TimelineJS versions before 3.7.0, WordPress plugin versions before 3.7.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Most users rely on hosted TimelineJS URLs and automatically receive fixes; only those with pinned versions or self-hosted installations remain vulnerable.

📦 What is this software?

Timelinejs by Northwestern

View all CVEs affecting Timelinejs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially compromising entire user accounts or systems.

🟠

Likely Case

Malicious actors inject scripts to display phishing content, deface timelines, or steal limited user data from vulnerable pages.

🟢

If Mitigated

With proper input sanitization and access controls, the risk is reduced to minimal, preventing script execution while maintaining timeline functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires write access to Google Sheets or JSON configuration files, making it dependent on compromised credentials or insider threats.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TimelineJS 3.7.0, WordPress plugin 3.7.0.0

Vendor Advisory: https://github.com/NUKnightLab/TimelineJS3/security/advisories/GHSA-2jpm-827p-j44g

Restart Required: No

Instructions:

1. For hosted TimelineJS users: Ensure embed URLs are not pinned to older versions. 2. For self-hosted installations: Update to TimelineJS 3.7.0. 3. For WordPress plugin users: Update to knight-lab-timelinejs version 3.7.0.0 or later.

🔧 Temporary Workarounds

Restrict Write Access

all

Limit write permissions for Google Sheets or JSON configuration files to trusted users only.

Input Validation

all

Manually sanitize HTML input in timeline data fields before publishing.

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized modifications to timeline data sources.
Use content security policies (CSP) to mitigate potential XSS impacts.

🔍 How to Verify

Check if Vulnerable:

Check if using TimelineJS version <3.7.0 or WordPress plugin version <3.7.0.0, or if embed URLs are pinned to older versions.

Check Version:

For self-hosted: Check package.json or source files for version. For WordPress: Check plugin version in admin panel.

Verify Fix Applied:

Confirm TimelineJS version is 3.7.0+ or WordPress plugin is 3.7.0.0+, and test for HTML injection in timeline fields.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to Google Sheets or JSON configuration files
Suspicious HTML/script patterns in timeline data

Network Indicators:

Unexpected JavaScript execution from timeline domains

SIEM Query:

Search for patterns like '<script>' or 'javascript:' in timeline data sources or web server logs.

📊 Metadata

CVE ID: CVE-2020-15092

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: July 9, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/NUKnightLab/TimelineJS3/security/advisories/GHSA-2jpm-827p-j44g Patch,Third Party Advisory
https://knightlab.northwestern.edu/posts/ Vendor Advisory
https://github.com/NUKnightLab/TimelineJS3/security/advisories/GHSA-2jpm-827p-j44g Patch,Third Party Advisory
https://knightlab.northwestern.edu/posts/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15092, you might also want to check these: