cbcvebase.
CVE-2021-20086
published 2021-04-23

CVE-2021-20086: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into…

PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.10%
92.5th percentile
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.

Affected

2 ranges
VendorProductVersion rangeFixed in
jquery-bbq_projectjquery-bbq
jquery-bbq_projectjquery-bbq0 – 1.2.1

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/?__proto__%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&__proto__%5Bjquery%5D=x
url{{BaseURL}}/?constructor%5Bprototype%5D%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&constructor%5Bprototype%5D%5Bjquery%5D=x
urlhttps://[odoo-app]/affected_page?__proto__%5Bcontext%5D=%3Cimg%2Fsrc%2Fonerror%3Dalert%28document.domain%29%3E&__proto__%5Bjquery%5D=x
urlhttps://[odoo-app]/affected_page?constructor%5Bprototype%5D%5Bcontext%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&constructor%5Bprototype%5D%5Bjquery%5D=x
sigma
matchers: dsl: ['!contains(body, "debug:")', 'contains_all(body, "alert(document.domain)","var odoo =")', 'status_code == 200'] condition: and
  • Detect prototype pollution XSS attempts via URL parameters containing '__proto__' or 'constructor[prototype]' patterns targeting Odoo instances (identifiable by 'var odoo =' in response body).
  • Shodan query 'html:"Odoo"' can be used to identify internet-exposed Odoo instances potentially vulnerable to this prototype pollution XSS via jquery-bbq deparam().
  • The vulnerability is triggered through the deparam() function in jquery-bbq 1.2.1 when processing unsanitized URL query parameters; monitor for requests containing URL-encoded '__proto__' or 'constructor[prototype]' in query strings.
  • Two distinct attack vectors exist: one using '__proto__[context]' and '__proto__[jquery]' parameters (initial patch bypass), and another using 'constructor[prototype][context]' and 'constructor[prototype][jquery]' parameters (workaround bypass).
  • ·The Nuclei template uses 'stop-at-first-match: true' with two request paths, meaning only the first matching payload URL will be tested; both attack vectors (__proto__ and constructor[prototype]) should be tested independently for complete coverage.
  • ·Exploitation requires malicious user interaction (victim must visit a specially crafted link); this is a reflected XSS, not stored, so detection should focus on inbound request patterns rather than stored content.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.