CVE-2021-43852 Information

Jun 07, 2022 cve

Description

OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request an attacker could inject properties into existing JavaScript language construct prototypes such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: __proto__ constructor[prototype] and constructor.prototype to mitigate this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9 https://github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8

Share on: