CVE-2021-43852

JavaScript Prototype Pollution in oro/platform

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: `__proto__` , `constructor[prototype]`, and `constructor.prototype` to mitigate this issue.

OroPlatform es una plataforma de aplicaciones empresariales PHP. En las versiones afectadas, mediante el envío de una petición especialmente diseñada, un atacante podría inyectar propiedades en los prototipos de construcción del lenguaje JavaScript existentes, como los objetos. Posteriormente esta inyección podría conllevar a una ejecución de código JS por parte de las librerías que son vulnerables a una Contaminación de Prototipos. Este problema ha sido parcheado en la versión 4.2.8. Los usuarios que no puedan actualizar pueden configurar un firewall para que elimine las peticiones que contengan las siguientes cadenas "__proto__", "constructor[prototype]", y "constructor.prototype" para mitigar este problema

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2022-01-04 CVE Published
2024-08-04 CVE Updated
2024-09-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CAPEC

References (2)

URL	Tag	Source
https://github.com/oroinc/platform/security/advisories/GHSA-jx5q-g37m-h5hj	Mitigation

URL	Date	SRC

URL	Date	SRC
https://github.com/oroinc/platform/commit/62c26936b3adee9c20255dcd9f8ee5c299b464a9	2022-01-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oroinc Search vendor "Oroinc"		Oroplatform Search vendor "Oroinc" for product "Oroplatform"				>= 4.1.0 < 4.1.14 Search vendor "Oroinc" for product "Oroplatform" and version " >= 4.1.0 < 4.1.14"		-		Affected
Oroinc Search vendor "Oroinc"		Oroplatform Search vendor "Oroinc" for product "Oroplatform"				>= 4.2.0 < 4.2.8 Search vendor "Oroinc" for product "Oroplatform" and version " >= 4.2.0 < 4.2.8"		-		Affected