CVE-2021-20086
published 2021-04-23CVE-2021-20086: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.10%
92.5th percentile
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jquery-bbq_project | jquery-bbq | — | — |
| jquery-bbq_project | jquery-bbq | 0 – 1.2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/?__proto__%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&__proto__%5Bjquery%5D=x↗
url{{BaseURL}}/?constructor%5Bprototype%5D%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&constructor%5Bprototype%5D%5Bjquery%5D=x↗
urlhttps://[odoo-app]/affected_page?__proto__%5Bcontext%5D=%3Cimg%2Fsrc%2Fonerror%3Dalert%28document.domain%29%3E&__proto__%5Bjquery%5D=x↗
urlhttps://[odoo-app]/affected_page?constructor%5Bprototype%5D%5Bcontext%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&constructor%5Bprototype%5D%5Bjquery%5D=x↗
sigma↗
matchers: dsl: ['!contains(body, "debug:")', 'contains_all(body, "alert(document.domain)","var odoo =")', 'status_code == 200'] condition: and
- →Detect prototype pollution XSS attempts via URL parameters containing '__proto__' or 'constructor[prototype]' patterns targeting Odoo instances (identifiable by 'var odoo =' in response body). ↗
- →Shodan query 'html:"Odoo"' can be used to identify internet-exposed Odoo instances potentially vulnerable to this prototype pollution XSS via jquery-bbq deparam(). ↗
- →The vulnerability is triggered through the deparam() function in jquery-bbq 1.2.1 when processing unsanitized URL query parameters; monitor for requests containing URL-encoded '__proto__' or 'constructor[prototype]' in query strings. ↗
- →Two distinct attack vectors exist: one using '__proto__[context]' and '__proto__[jquery]' parameters (initial patch bypass), and another using 'constructor[prototype][context]' and 'constructor[prototype][jquery]' parameters (workaround bypass). ↗
- ·The Nuclei template uses 'stop-at-first-match: true' with two request paths, meaning only the first matching payload URL will be tested; both attack vectors (__proto__ and constructor[prototype]) should be tested independently for complete coverage. ↗
- ·Exploitation requires malicious user interaction (victim must visit a specially crafted link); this is a reflected XSS, not stored, so detection should focus on inbound request patterns rather than stored content. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prototype Pollution in jquery-bbq
ghsa·2021-05-24
CVE-2021-20086 [HIGH] CWE-1321 Prototype Pollution in jquery-bbq
Prototype Pollution in jquery-bbq
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
OSV
Prototype Pollution in jquery-bbq
osv·2021-05-24
CVE-2021-20086 [HIGH] Prototype Pollution in jquery-bbq
Prototype Pollution in jquery-bbq
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
No detection rules found.
Nuclei
Odoo Apps - Cross-Site Scripting via Prototype Pollution
nuclei·CVSS 8.8
CVE-2021-20086 [HIGH] Odoo Apps - Cross-Site Scripting via Prototype Pollution
Odoo Apps - Cross-Site Scripting via Prototype Pollution
jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction.
Template:
id: CVE-2021-20086
info:
name: Odoo Apps - Cross-Site Scripting via Prototype Pollution
author: 1337rokudenashi
severity: high
description: |
jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction.
impact: |
Attackers can modify Object.prototype, leading to potential security issues like property overwrites and ap
Tenable
Cross-Site Scripting in Odoo Apps via Prototype Pollution
blogs_tenable·2022-04-06
Cross-Site Scripting in Odoo Apps via Prototype Pollution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Identifying Prototype Pollution Vulnerabilities: How Tenable.io Web Application Scanning Can Help
blogs_tenable·2021-05-25
Identifying Prototype Pollution Vulnerabilities: How Tenable.io Web Application Scanning Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2021-04-23
Published