CVE-2022-3901 – CVE-2022-3901 is a prototype pollution vulnerab... (How to Fix)

Q: What is the severity of CVE-2022-3901?

CVE-2022-3901 has a CVSS score of 7.2 (HIGH). CVE-2022-3901 is a prototype pollution vulnerability in Visioweb.js 1.10.6 that allows attackers to inject malicious properties into JavaScript objects. This can lead to cross-site scripting (XSS) attacks where arbitrary JavaScript executes in victims' browsers. Any web application using the vulnerable Visioweb.js library is affected.

📋 TL;DR

CVE-2022-3901 is a prototype pollution vulnerability in Visioweb.js 1.10.6 that allows attackers to inject malicious properties into JavaScript objects. This can lead to cross-site scripting (XSS) attacks where arbitrary JavaScript executes in victims' browsers. Any web application using the vulnerable Visioweb.js library is affected.

💻 Affected Systems

Products:

Visioweb.js

Versions: 1.10.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any web application embedding Visioweb.js 1.10.6 is vulnerable regardless of backend technology.

📦 What is this software?

Visioweb by Visioglobe

View all CVEs affecting Visioweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, credential theft, account takeover, and malware delivery to all users of affected applications.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated users.

🟢

If Mitigated

Limited impact with proper content security policies, input validation, and modern browser security features.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Prototype pollution vulnerabilities are well-understood and often weaponized for XSS attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.7 or later

Vendor Advisory: https://csirt.divd.nl/CVE-2022-3901

Restart Required: No

Instructions:

1. Identify all instances of Visioweb.js 1.10.6 in your codebase. 2. Update to version 1.10.7 or later. 3. Test application functionality after update. 4. Deploy updated version to production.

🔧 Temporary Workarounds

Content Security Policy

all

Implement strict CSP headers to block inline scripts and restrict script sources

Content-Security-Policy: script-src 'self' https://trusted.cdn.com; object-src 'none';

Input Sanitization

all

Sanitize all user inputs before processing by Visioweb.js

🧯 If You Can't Patch

Implement strict Content Security Policy headers
Disable or remove Visioweb.js functionality if not essential

🔍 How to Verify

Check if Vulnerable:

Check package.json or script tags for Visioweb.js version 1.10.6

Check Version:

grep -r "visioweb.js" . --include="*.js" --include="*.html" --include="package.json"

Verify Fix Applied:

Confirm Visioweb.js version is 1.10.7 or later in package.json and loaded scripts

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript errors related to object properties
Multiple failed XSS attempts

Network Indicators:

Suspicious JavaScript payloads in HTTP requests
Unusual outbound connections after page load

SIEM Query:

source="web_server" AND ("visioweb.js" OR "CVE-2022-3901") AND status=200

📊 Metadata

CVE ID: CVE-2022-3901

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-1321

Published: February 20, 2023

Last Updated: November 21, 2024

🔗 References

https://csirt.divd.nl/CVE-2022-3901 Third Party Advisory
https://csirt.divd.nl/CVE-2022-3901 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-3901, you might also want to check these: