← voltar
CVE-2021-43852

JavaScript Prototype Pollution in oro/platform

CVSS 8.8 HIGHEPSS 1.1%CWE-74
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 1.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
04 jan 2022Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: `__proto__` , `constructor[prototype]`, and `constructor.prototype` to mitigate this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
Produtos afetados
oroinc · platform

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9https://github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj