GHSA-jx5q-g37m-h5hj

Source

https://github.com/advisories/GHSA-jx5q-g37m-h5hj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jx5q-g37m-h5hj/GHSA-jx5q-g37m-h5hj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jx5q-g37m-h5hj

Aliases

CVE-2021-43852

Published

2022-01-06T18:29:51Z

Modified

2023-11-08T04:07:14.528622Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Client-Side JavaScript Prototype Pollution in oro/platform

Details

Summary

By sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution.

Workarounds

Configure WAF to drop requests containing next strings: __proto__ , constructor[prototype], constructor.prototype

Database specific

{
    "nvd_published_at": "2022-01-04T20:15:00Z",
    "github_reviewed_at": "2022-01-04T22:46:13Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1321",
        "CWE-74"
    ]
}

References

Affected packages

Packagist / oro/platform

Package

Name: oro/platform
Purl: pkg:composer/oro/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.14

Affected versions

4.*

4.1.0

4.1.1-rc

4.1.1-rc2

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.1.10

4.1.11

4.1.12

4.1.13

Packagist / oro/platform

Package

Name: oro/platform
Purl: pkg:composer/oro/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.8

Affected versions

4.*

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7