CVE-2021-43852

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in packagist/oro/platform

Identifiers

CVE-2021-43852, GHSA-jx5q-g37m-h5hj

Package Slug

packagist/oro/platform

Vulnerability

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Description

OroPlatform is a PHP Business Application Platform. an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that is vulnerable to Prototype Pollution. This issue has been patched Users unable to upgrade may configure a firewall to drop requests containing next strings: __proto__, constructor[prototype], and constructor.prototype to mitigate this issue.

Affected Versions

All versions starting from 4.1.0 before 4.1.14, all versions starting from 4.2.0 before 4.2.8

Solution

Upgrade to version 4.2.8 or above.

Last Modified

2022-01-13

source