CVE-2022-3901 - Vulnerability Details - OpenCVE

Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00109.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Visioglobe	Visioweb

Configuration 1 [-]

cpe:2.3:a:visioglobe:visioweb:1.10.6:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

Upgrade to Visioweb 1.10.7

Workaround

No workaround given by the vendor.

References

Link	Providers
https://csirt.divd.nl/CVE-2022-3901

History

Wed, 12 Mar 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: DIVD

Published: 2023-02-20T18:07:34.082Z

Updated: 2025-04-01T04:48:08.974Z

Reserved: 2022-11-08T20:46:53.390Z

Link: CVE-2022-3901

Vulnrichment

Updated: 2024-08-03T01:20:58.640Z

NVD

Status : Modified

Published: 2023-02-20T19:15:10.517

Modified: 2024-11-21T07:20:29.840

Link: CVE-2022-3901

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3901", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "state": "PUBLISHED", "assignerShortName": "DIVD", "dateReserved": "2022-11-08T20:46:53.390Z", "datePublished": "2023-02-20T18:07:34.082Z", "dateUpdated": "2025-04-01T04:48:08.974Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "Visioweb", "vendor": "Visio Globe", "versions": [{"lessThanOrEqual": "1.10.6", "status": "affected", "version": "0", "versionType": "1.10.6"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan-Jaap Korpershoek"}, {"lang": "en", "type": "analyst", "user": "00000000-0000-4000-9000-000000000000", "value": "Victor Pasman (DIVD)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system."}], "value": "Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-04-01T04:48:08.974Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://csirt.divd.nl/CVE-2022-3901"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to Visioweb 1.10.7"}], "value": "Upgrade to Visioweb 1.10.7"}], "title": "Visioweb.js - Prototype Pollution can results in XSS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:20:58.640Z"}, "title": "CVE Program Container", "references": [{"url": "https://csirt.divd.nl/CVE-2022-3901", "tags": ["third-party-advisory", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T18:09:19.196616Z", "id": "CVE-2022-3901", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T18:09:24.472Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://csirt.divd.nl/CVE-2022-3901", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:20:58.640Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-3901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T18:09:19.196616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T18:08:11.036Z"}}], "cna": {"title": "Visioweb.js - Prototype Pollution can results in XSS", "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jan-Jaap Korpershoek"}, {"lang": "en", "type": "analyst", "user": "00000000-0000-4000-9000-000000000000", "value": "Victor Pasman (DIVD)"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Visio Globe", "product": "Visioweb", "versions": [{"status": "affected", "version": "0", "versionType": "1.10.6", "lessThanOrEqual": "1.10.6"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to Visioweb 1.10.7", "supportingMedia": [{"type": "text/html", "value": "Upgrade to Visioweb 1.10.7", "base64": false}]}], "references": [{"url": "https://csirt.divd.nl/CVE-2022-3901", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system.", "supportingMedia": [{"type": "text/html", "value": "Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-04-01T04:48:08.974Z"}}}, "cveMetadata": {"cveId": "CVE-2022-3901", "state": "PUBLISHED", "dateUpdated": "2025-04-01T04:48:08.974Z", "dateReserved": "2022-11-08T20:46:53.390Z", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "datePublished": "2023-02-20T18:07:34.082Z", "assignerShortName": "DIVD"}, "dataVersion": "5.1"}