CVE-2021-43852, GHSA-jx5q-g37m-h5hj
packagist/oro/platform
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
OroPlatform is a PHP Business Application Platform. an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that is vulnerable to Prototype Pollution. This issue has been patched Users unable to upgrade may configure a firewall to drop requests containing next strings: __proto__
, constructor[prototype]
, and constructor.prototype
to mitigate this issue.
All versions starting from 4.1.0 before 4.1.14, all versions starting from 4.2.0 before 4.2.8
Upgrade to version 4.2.8 or above.
2022-01-13
source |