Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
JavaScript Prototype Pollution in oro/platform
Vulnerability Description
OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: `__proto__` , `constructor[prototype]`, and `constructor.prototype` to mitigate this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
OroPlatform 注入漏洞
Vulnerability Description
OroPlatform是一个 PHP 业务应用程序平台 (BAP),旨在使自定义业务应用程序的开发更容易、更快。 OroPlatform存在安全漏洞,该漏洞源于软件对于JavaScript的属性缺少有效的过滤和转义。通过发送特别设计的请求,攻击者可利用该漏洞将属性注入到现有的JavaScript语言构造原型中,比如对象。之后,这个注入可能会导致软件被容易受到原型污染的库进行JavaScript代码执行。
CVSS Information
N/A
Vulnerability Type
N/A