Search criteria
13 vulnerabilities by sulu
CVE-2025-47778 (GCVE-0-2025-47778)
Vulnerability from cvelistv5 – Published: 2025-05-14 15:29 – Updated: 2025-05-14 18:13
VLAI?
Title
Sulu vulnerable to XXE in SVG File upload Inspector
Summary
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.
Severity ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T18:13:08.671516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T18:13:14.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.21, \u003c 2.5.25"
},
{
"status": "affected",
"version": "\u003e= 2.6.5, \u003c 2.6.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha1, \u003c 3.0.0-alpha3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:29:08.187Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255"
},
{
"name": "https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544"
},
{
"name": "https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php"
}
],
"source": {
"advisory": "GHSA-f6rx-hf55-4255",
"discovery": "UNKNOWN"
},
"title": "Sulu vulnerable to XXE in SVG File upload Inspector"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47778",
"datePublished": "2025-05-14T15:29:08.187Z",
"dateReserved": "2025-05-09T19:49:35.620Z",
"dateUpdated": "2025-05-14T18:13:14.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47617 (GCVE-0-2024-47617)
Vulnerability from cvelistv5 – Published: 2024-10-03 14:24 – Updated: 2024-10-08 13:33
VLAI?
Title
Reflected XSS Vulnerability in Sulu Media Bundle
Summary
Sulu is a PHP content management system. This vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website's content, or perform actions on behalf of the victim. This vulnerability is fixed in 2.6.5 and 2.5.21.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T14:38:49.459437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T13:33:43.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.4, \u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.5.20, \u003c 2.5.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is a PHP content management system. This vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website\u0027s content, or perform actions on behalf of the victim. This vulnerability is fixed in 2.6.5 and 2.5.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T14:24:44.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-6784-9c82-vr85",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-6784-9c82-vr85"
},
{
"name": "https://github.com/sulu/sulu/commit/a5a5ae555d282e88ff8559d38cfb46dea7939bda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/a5a5ae555d282e88ff8559d38cfb46dea7939bda"
},
{
"name": "https://github.com/sulu/sulu/commit/eeacd14b6cf55f710084788140d40ebb00314b29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/eeacd14b6cf55f710084788140d40ebb00314b29"
}
],
"source": {
"advisory": "GHSA-6784-9c82-vr85",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS Vulnerability in Sulu Media Bundle"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47617",
"datePublished": "2024-10-03T14:24:44.300Z",
"dateReserved": "2024-09-27T20:37:22.121Z",
"dateUpdated": "2024-10-08T13:33:43.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47618 (GCVE-0-2024-47618)
Vulnerability from cvelistv5 – Published: 2024-10-03 14:18 – Updated: 2024-10-18 14:42
VLAI?
Title
Sulu vulnerable to XSS via uploaded SVG
Summary
Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ (other users including admins) browsers. This issue is fixed in 2.6.5.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T13:20:32.450553Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T13:34:22.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-RC1, \u003c 2.5.21"
},
{
"status": "affected",
"version": "\u003e= 2.6.0-RC1, \u003c 2.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the \u201cMedia\u201d section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims\u2019 (other users including admins) browsers. This issue is fixed in 2.6.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T14:42:45.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-255w-87rh-rg44"
},
{
"name": "https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/ca72f75eebe41ea7726624d8aea7da6c425f1eb9"
}
],
"source": {
"advisory": "GHSA-255w-87rh-rg44",
"discovery": "UNKNOWN"
},
"title": "Sulu vulnerable to XSS via uploaded SVG"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47618",
"datePublished": "2024-10-03T14:18:02.129Z",
"dateReserved": "2024-09-27T20:37:22.121Z",
"dateUpdated": "2024-10-18T14:42:45.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37156 (GCVE-0-2024-37156)
Vulnerability from cvelistv5 – Published: 2024-06-06 16:03 – Updated: 2024-08-02 03:50
VLAI?
Title
TokenController formName not sanitized in hidden input
Summary
The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
Severity ?
6.1 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sulu | SuluFormBundle |
Affected:
>=2.0.0, < 2.5.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T12:57:53.699448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T20:48:56.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:54.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3"
},
{
"name": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SuluFormBundle",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e=2.0.0, \u003c 2.5.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T16:03:46.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/SuluFormBundle/security/advisories/GHSA-rrvc-c7xg-7cf3"
},
{
"name": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/SuluFormBundle/commit/3f341b71a7309cbc8fd2c5bff894c654d1679b17"
}
],
"source": {
"advisory": "GHSA-rrvc-c7xg-7cf3",
"discovery": "UNKNOWN"
},
"title": "TokenController formName not sanitized in hidden input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37156",
"datePublished": "2024-06-06T16:03:46.771Z",
"dateReserved": "2024-06-03T17:29:38.329Z",
"dateUpdated": "2024-08-02T03:50:54.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27915 (GCVE-0-2024-27915)
Vulnerability from cvelistv5 – Published: 2024-03-06 19:33 – Updated: 2025-04-16 15:54
VLAI?
Title
Sulu grants access to pages regardless of role permissions
Summary
Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.
Severity ?
6.8 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"lessThan": "2.4.17",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "2.5.13",
"status": "affected",
"version": "2.5.0-alpha1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27915",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:35:44.612681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T15:54:40.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p"
},
{
"name": "https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.4.17"
},
{
"status": "affected",
"version": "\u003e= 2.5.0-alpha1, \u003c 2.5.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-06T19:33:11.798Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p"
},
{
"name": "https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da"
}
],
"source": {
"advisory": "GHSA-jr83-m233-gg6p",
"discovery": "UNKNOWN"
},
"title": "Sulu grants access to pages regardless of role permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27915",
"datePublished": "2024-03-06T19:33:11.798Z",
"dateReserved": "2024-02-28T15:14:14.213Z",
"dateUpdated": "2025-04-16T15:54:40.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24807 (GCVE-0-2024-24807)
Vulnerability from cvelistv5 – Published: 2024-02-05 20:09 – Updated: 2024-08-01 23:28
VLAI?
Title
Sulu is vulnerable to HTML Injection via Autocomplete Suggestion
Summary
Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.
Severity ?
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sulu:sulu:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"cpes": [
"cpe:2.3:a:sulu:sulu:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T19:25:07.228689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:43:18.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv"
},
{
"name": "https://github.com/sulu/sulu/releases/tag/2.4.16",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/releases/tag/2.4.16"
},
{
"name": "https://github.com/sulu/sulu/releases/tag/2.5.12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/releases/tag/2.5.12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.4.16"
},
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-05T20:09:36.891Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-gfrh-gwqc-63cv"
},
{
"name": "https://github.com/sulu/sulu/releases/tag/2.4.16",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/releases/tag/2.4.16"
},
{
"name": "https://github.com/sulu/sulu/releases/tag/2.5.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/releases/tag/2.5.12"
}
],
"source": {
"advisory": "GHSA-gfrh-gwqc-63cv",
"discovery": "UNKNOWN"
},
"title": "Sulu is vulnerable to HTML Injection via Autocomplete Suggestion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24807",
"datePublished": "2024-02-05T20:09:36.891Z",
"dateReserved": "2024-01-31T16:28:17.941Z",
"dateUpdated": "2024-08-01T23:28:12.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39343 (GCVE-0-2023-39343)
Vulnerability from cvelistv5 – Published: 2023-08-04 00:06 – Updated: 2024-10-03 18:21
VLAI?
Title
Sulu Observable Response Discrepancy on Admin Login
Summary
Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10.
Severity ?
4.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:02:06.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"
},
{
"name": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"
},
{
"name": "https://github.com/sulu/sulu/releases/tag/2.5.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/releases/tag/2.5.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T18:21:36.480062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T18:21:46.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 2.5.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu Installation not using the old Symfony 5.4 security System and previous version are not impacted by this Security issue. The vulnerability has been patched in version 2.5.10. \n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-04T00:06:29.997Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wmwf-49vv-p3mr"
},
{
"name": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/5f6c98ba030b2005793e2dc647cc938937ea889b"
},
{
"name": "https://github.com/sulu/sulu/releases/tag/2.5.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/releases/tag/2.5.10"
}
],
"source": {
"advisory": "GHSA-wmwf-49vv-p3mr",
"discovery": "UNKNOWN"
},
"title": "Sulu Observable Response Discrepancy on Admin Login"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39343",
"datePublished": "2023-08-04T00:06:29.997Z",
"dateReserved": "2023-07-28T13:26:46.476Z",
"dateUpdated": "2024-10-03T18:21:46.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43836 (GCVE-0-2021-43836)
Vulnerability from cvelistv5 – Published: 2021-12-15 20:10 – Updated: 2024-08-04 04:10
VLAI?
Title
PHP file inclusion in the Sulu admin panel
Summary
Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.
Severity ?
8.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:16.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.44"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.2.18"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T20:10:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"
}
],
"source": {
"advisory": "GHSA-vx6j-pjrh-vgjh",
"discovery": "UNKNOWN"
},
"title": "PHP file inclusion in the Sulu admin panel",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43836",
"STATE": "PUBLIC",
"TITLE": "PHP file inclusion in the Sulu admin panel"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sulu",
"version": {
"version_data": [
{
"version_value": "\u003c 1.6.44"
},
{
"version_value": "\u003e= 2.0.0, \u003c 2.2.18"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.3.8"
}
]
}
}
]
},
"vendor_name": "sulu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh",
"refsource": "CONFIRM",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"
},
{
"name": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54",
"refsource": "MISC",
"url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"
}
]
},
"source": {
"advisory": "GHSA-vx6j-pjrh-vgjh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43836",
"datePublished": "2021-12-15T20:10:10",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:10:16.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43835 (GCVE-0-2021-43835)
Vulnerability from cvelistv5 – Published: 2021-12-15 20:00 – Updated: 2024-08-04 04:10
VLAI?
Title
Privilege escalation in the Sulu Admin panel
Summary
Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually.
Severity ?
7.2 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:15.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-84px-q68r-2fc9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/commit/30bf8b5a4f83b6f2171a696011757d095edaa28a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.2.18"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-15T20:00:16",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-84px-q68r-2fc9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/30bf8b5a4f83b6f2171a696011757d095edaa28a"
}
],
"source": {
"advisory": "GHSA-84px-q68r-2fc9",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation in the Sulu Admin panel",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43835",
"STATE": "PUBLIC",
"TITLE": "Privilege escalation in the Sulu Admin panel"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sulu",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0.0, \u003c 2.2.18"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.3.8"
}
]
}
}
]
},
"vendor_name": "sulu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched in 2.2.18, 2.3.8 and 2.4.0. For users unable to upgrade the only known workaround is to apply a patch to the ProfileController manually."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-84px-q68r-2fc9",
"refsource": "CONFIRM",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-84px-q68r-2fc9"
},
{
"name": "https://github.com/sulu/sulu/commit/30bf8b5a4f83b6f2171a696011757d095edaa28a",
"refsource": "MISC",
"url": "https://github.com/sulu/sulu/commit/30bf8b5a4f83b6f2171a696011757d095edaa28a"
}
]
},
"source": {
"advisory": "GHSA-84px-q68r-2fc9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43835",
"datePublished": "2021-12-15T20:00:16",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:10:15.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41169 (GCVE-0-2021-41169)
Vulnerability from cvelistv5 – Published: 2021-10-21 20:25 – Updated: 2024-08-04 02:59
VLAI?
Title
Improper Neutralization HTML tags in sulu/sulu
Summary
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
Severity ?
6.2 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.43"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-21T20:25:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"
}
],
"source": {
"advisory": "GHSA-h58v-g3q6-q9fx",
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization HTML tags in sulu/sulu",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41169",
"STATE": "PUBLIC",
"TITLE": "Improper Neutralization HTML tags in sulu/sulu"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sulu",
"version": {
"version_data": [
{
"version_value": "\u003c 1.6.43"
}
]
}
}
]
},
"vendor_name": "sulu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx",
"refsource": "CONFIRM",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-h58v-g3q6-q9fx"
},
{
"name": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445",
"refsource": "MISC",
"url": "https://github.com/sulu/sulu/commit/20007ac70a3af3c9e53a6acb0ef8794b65642445"
}
]
},
"source": {
"advisory": "GHSA-h58v-g3q6-q9fx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41169",
"datePublished": "2021-10-21T20:25:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32737 (GCVE-0-2021-32737)
Vulnerability from cvelistv5 – Published: 2021-07-02 17:55 – Updated: 2024-08-03 23:33
VLAI?
Title
XSS Injection in Media Collection Title was possible
Summary
Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating.
Severity ?
8.4 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/releases/tag/1.6.41"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.41"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T17:55:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sulu/sulu/releases/tag/1.6.41"
}
],
"source": {
"advisory": "GHSA-gm2x-6475-g9r8",
"discovery": "UNKNOWN"
},
"title": "XSS Injection in Media Collection Title was possible",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32737",
"STATE": "PUBLIC",
"TITLE": "XSS Injection in Media Collection Title was possible"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sulu",
"version": {
"version_data": [
{
"version_value": "\u003c 1.6.41"
}
]
}
}
]
},
"vendor_name": "sulu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-site-scripting) in the collection title. The problem is patched in version 1.6.41. As a workaround, one may manually patch the affected JavaScript files in lieu of updating."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8",
"refsource": "CONFIRM",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-gm2x-6475-g9r8"
},
{
"name": "https://github.com/sulu/sulu/releases/tag/1.6.41",
"refsource": "MISC",
"url": "https://github.com/sulu/sulu/releases/tag/1.6.41"
}
]
},
"source": {
"advisory": "GHSA-gm2x-6475-g9r8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32737",
"datePublished": "2021-07-02T17:55:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15132 (GCVE-0-2020-15132)
Vulnerability from cvelistv5 – Published: 2020-08-05 20:30 – Updated: 2024-08-04 13:08
VLAI?
Title
Reset Password / Login vulnerability in Sulu
Summary
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the "Forgot Password" request returns the email address to which the email was sent, if the operation was successful. This information should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions 1.6.35, 2.0.10 and 2.1.1.
Severity ?
5.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wfm4-pq59-wg6r"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "sulu",
"vendor": "sulu",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.35"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.10"
},
{
"status": "affected",
"version": "= 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the \"Forget password\" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the \"Forgot Password\" request returns the email address to which the email was sent, if the operation was successful. This information should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions 1.6.35, 2.0.10 and 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-05T20:30:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wfm4-pq59-wg6r"
}
],
"source": {
"advisory": "GHSA-wfm4-pq59-wg6r",
"discovery": "UNKNOWN"
},
"title": "Reset Password / Login vulnerability in Sulu",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15132",
"STATE": "PUBLIC",
"TITLE": "Reset Password / Login vulnerability in Sulu"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sulu",
"version": {
"version_data": [
{
"version_value": "\u003c 1.6.35"
},
{
"version_value": "\u003e= 2.0.0, \u003c 2.0.10"
},
{
"version_value": "= 2.1.0"
}
]
}
}
]
},
"vendor_name": "sulu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the \"Forget password\" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the \"Forgot Password\" request returns the email address to which the email was sent, if the operation was successful. This information should not be exposed, as it can be used to gather email addresses. This problem was fixed in versions 1.6.35, 2.0.10 and 2.1.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209: Generation of Error Message Containing Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sulu/sulu/security/advisories/GHSA-wfm4-pq59-wg6r",
"refsource": "CONFIRM",
"url": "https://github.com/sulu/sulu/security/advisories/GHSA-wfm4-pq59-wg6r"
}
]
},
"source": {
"advisory": "GHSA-wfm4-pq59-wg6r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15132",
"datePublished": "2020-08-05T20:30:13",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1000465 (GCVE-0-2017-1000465)
Vulnerability from cvelistv5 – Published: 2018-01-09 22:00 – Updated: 2024-09-16 16:38
VLAI?
Summary
Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripting vulnerability, within the page creation page, which can result in disruption of service and execution of javascript code.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:00:41.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sulu/sulu-standard/issues/835"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2017-12-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripting vulnerability, within the page creation page, which can result in disruption of service and execution of javascript code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-09T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sulu/sulu-standard/issues/835"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2017-12-29",
"ID": "CVE-2017-1000465",
"REQUESTER": "sajeeb.lohani@bulletproof.sh",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripting vulnerability, within the page creation page, which can result in disruption of service and execution of javascript code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sulu/sulu-standard/issues/835",
"refsource": "CONFIRM",
"url": "https://github.com/sulu/sulu-standard/issues/835"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000465",
"datePublished": "2018-01-09T22:00:00Z",
"dateReserved": "2018-01-09T00:00:00Z",
"dateUpdated": "2024-09-16T16:38:03.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}