CVE-2021-43852 – oro/platform

Package

Manager: composer
Name: oro/platform
Vulnerable Version: >=4.1.0 <4.1.14 || >=4.2.0 <4.2.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00626 pctl0.693

Details

Client-Side JavaScript Prototype Pollution in oro/platform ### Summary By sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. ### Workarounds Configure WAF to drop requests containing next strings: `__proto__` , `constructor[prototype]`, `constructor.prototype`

Metadata

Created: 2022-01-06T18:29:51Z
Modified: 2022-01-04T22:46:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jx5q-g37m-h5hj/GHSA-jx5q-g37m-h5hj.json
CWE IDs: ["CWE-1321", "CWE-74"]
Alternative ID: GHSA-jx5q-g37m-h5hj
Finding: F390
Auto approve: 1