CVE-2022-1330: 
JavaScript vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the GitHub repository alvarotrigo/fullpage.js versions prior to 4.0.4. The vulnerability was identified and tracked as CVE-2022-1330, which was disclosed on April 12, 2022. The issue stems from unsanitized anchor URLs in the application (NVD, CVE).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). According to the National Vulnerability Database, the severity assessment varies with CVSS v3.1 scores ranging from 5.4 (MEDIUM) to 9.4 (CRITICAL). The NVD score of 5.4 has a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while huntr.dev assessed it at 9.4 with a vector string of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H (NVD).

The stored XSS vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers who access the affected pages. This could lead to unauthorized access to sensitive information, session hijacking, or other malicious activities typically associated with XSS attacks (NVD).

The vulnerability was patched in version 4.0.4 of fullpage.js. The fix involves properly encoding URI components in the navigation bullet links, as evidenced by the commit that addresses the issue. Users are advised to upgrade to version 4.0.4 or later to mitigate this vulnerability (GitHub Patch).