CVE-2021-43852 JavaScript Prototype Pollution in oro/platform

2022-01-0419:40:10

CWE-74

GitHub_M

www.cve.org

javascript

prototype pollution

oro/platform

injection

js code execution

vulnerability

patched

php

business application platform

security mitigation

version 4.2.8

firewall configuration

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

EPSS

0.002

Percentile

65.1%

JSON

OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: __proto__ , constructor[prototype], and constructor.prototype to mitigate this issue.

CNA Affected

[
  {
    "product": "platform",
    "vendor": "oroinc",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.2.8"
      }
    ]
  }
]