Sulu Fixes HTML Execution Vulnerability
CVE-2024-24807

4.8MEDIUM

Key Information:

Vendor: sulu
Status: sulu
Vendor: CVE Published:; 5 February 2024

🔔 Create sulu Vulnerability Alert

What is CVE-2024-24807?

Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.

Affected Version(s)

sulu >= 2.0.0, < 2.4.16 < 2.0.0, 2.4.16

sulu >= 2.5.0, < 2.5.12 < 2.5.0, 2.5.12

References

https://github.com/sulu/sulu/security/advisories/GHSA-gfr...

x_refsource_CONFIRM

https://github.com/sulu/sulu/releases/tag/2.4.16

x_refsource_MISC

https://github.com/sulu/sulu/releases/tag/2.5.12

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 5, 2024
Vulnerability Reserved
Jan 31, 2024

CVE-2024-24807 Data

.