CVE-2021-43852: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

January 4, 2022 (updated January 12, 2022)

OroPlatform is a PHP Business Application Platform. an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that is vulnerable to Prototype Pollution. This issue has been patched Users unable to upgrade may configure a firewall to drop requests containing next strings: __proto__, constructor[prototype], and constructor.prototype to mitigate this issue.

References

github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9
github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj
nvd.nist.gov/vuln/detail/CVE-2021-43852

Detect and mitigate CVE-2021-43852 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →