CVE-2021-43852

Name of the Vulnerable Software and Affected Versions OroPlatform versions prior to 4.2.8

Description The issue allows an attacker to inject properties into existing JavaScript language construct prototypes, such as objects, by sending a specially crafted request. This injection may lead to JavaScript code execution by libraries that are vulnerable to Prototype Pollution.

Recommendations For versions prior to 4.2.8, update to version 4.2.8 to resolve the issue. As a temporary workaround, consider configuring a firewall or WAF to drop requests containing strings: proto, constructor[prototype], and constructor.prototype to mitigate this issue.