CVE-2021-43852

Опубликовано: 04 янв. 2022

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: __proto__ , constructor[prototype], and constructor.prototype to mitigate this issue.

Ссылки

https://github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9
Patch
Third Party Advisory
https://github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj
Mitigation
Third Party Advisory
https://github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9
Patch
Third Party Advisory
https://github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*

Версия от 4.1.0 (включая) до 4.1.14 (исключая)

cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*

Версия от 4.2.0 (включая) до 4.2.8 (исключая)

EPSS

Процентиль: 70%

0.00626

Низкий

8.8 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-74

CWE-1321

Связанные уязвимости

GHSA-jx5q-g37m-h5hj

CVSS3: 5.3

github

около 4 лет назад

Client-Side JavaScript Prototype Pollution in oro/platform

EPSS

Процентиль: 70%

0.00626

Низкий

8.8 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-74

CWE-1321