CVE-2022-1295

Description

fullPage utils are available to developers using window.fp_utils. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability. Javascript is "prototype" language which means when a new "object" is created, it carries the predefined properties and methods of an "object" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that "object" type. If the victim developer has used that property anywhere in the code, then it will have severe effect on the application.

How to fix CVE-2022-1295

To remediate CVE-2022-1295, upgrade the affected package to a fixed version below.

• —upgrade to 4.0.2 or later

Is CVE-2022-1295 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4.0.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-1295
• PATCHgithub.com/alvarotrigo/fullpage.js
• WEBgithub.com/alvarotrigo/fullpage.js/commit/bf62492a22e5d296e63c3ed918a42fc5645a0d48
• WEBhuntr.dev/bounties/3b9d450c-24ac-4037-b04d-4d4dafbf593a