CVE-2022-1295

HIGH7.3EPSS 0.58%

Prototype Pollution in fullpage.js

Published: 4/12/2022Modified: 11/8/2023

Description

fullPage utils are available to developers using window.fp_utils. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability. Javascript is "prototype" language which means when a new "object" is created, it carries the predefined properties and methods of an "object" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that "object" type. If the victim developer has used that property anywhere in the code, then it will have severe effect on the application.

Affected packages (1)

npm/fullpage.jsfrom 0, < 4.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1295
PATCHhttps://github.com/alvarotrigo/fullpage.js
WEBhttps://github.com/alvarotrigo/fullpage.js/commit/bf62492a22e5d296e63c3ed918a42fc5645a0d48
WEBhttps://huntr.dev/bounties/3b9d450c-24ac-4037-b04d-4d4dafbf593a