CVE-2024-24807
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sulu | sulu | >= 2.0.0, < 2.4.16 | affected |
| sulu | sulu | >= 2.5.0, < 2.5.12 | affected |
Weaknesses
- CWE-80: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv
- https://github.com/sulu/sulu/releases/tag/2.4.16
- https://github.com/sulu/sulu/releases/tag/2.5.12
References
- https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv
- https://github.com/sulu/sulu/releases/tag/2.4.16
- https://github.com/sulu/sulu/releases/tag/2.5.12
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.